We are using LDAPExtLoginModule against a Microsoft ADAM server for authentication.

There is an LDAP attribute that tracks lockoutTime after 3 bad passwords, but from what I can see, the mechanism to actually reject a login is not built into ADAM...isLockedout is a calculated value from the lockoutTime and lockout interval.

Obviously I can build this into the code, but is this something I can also implement in login-config.xml using just built in parameters?