The documentation decribes how to automatically lockout accounts based on the ppolicy LDAP overlay.
By default this lock is infinite because the attribute
pwdLockoutDuration is set to
0 when not defined.
The following command can be used to define an unlock after 1 hour:
ldapmodify -x -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret <<__EOT__ dn: cn=default,cn=ppolicy,cn=univention,$(ucr get ldap/base) changetype: modify add: pwdLockoutDuration pwdLockoutDuration: 3600 __EOT__
During this time the locked account can be unlocked as described in the documentation.
Even after the lockout time is elapsed the account will still be marked as locked as long as a logon attempt with a valid password was recorded.