The documentation decribes how to automatically lockout accounts based on the ppolicy LDAP overlay.
By default this lock is infinite because the attribute pwdLockoutDuration is set to 0 when not defined.
The following command can be used to define an unlock after 1 hour:
ldapmodify -x -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret <<__EOT__
dn: cn=default,cn=ppolicy,cn=univention,$(ucr get ldap/base)
changetype: modify
add: pwdLockoutDuration
pwdLockoutDuration: 3600
__EOT__
During this time the locked account can be unlocked as described in the documentation.
Even after the lockout time is elapsed the account will still be marked as locked as long as a logon attempt with a valid password was recorded.