we need the possibility to prevent ldap imported users from a brute force attack.
Disabling ldap users through failed login attempts is no possibility for us, since we don't want our users to be disabled through a world wide available web site.
simple solution for example could be an increasing timeout per failed login attempt, e.g. 10 sec. for the first wrong attempt, 1 Min for the second ...