As a Delegated Directory user we feel that the option of locking an account after a given number of failed authentication attempts is missing, as is possible with Internal Directories. In case of an account being locked, the account owner would have to ask a Crowd admin to unlock their account.

An even better solution to this problem would be to include the possibility to enforce the user to reset the account password via the external ldap server before Crowd would allow the account unlocking; or even via an encrypted link sent to the user's email address.