I'm still playing with the latest OpenAM 10.0.0 in preparation of a upcoming overseas project.
I came across the Account Lockout feature in OpenAM.
Go Access Control > / (Top Level Realm) > Authentication > All Core Settings ...
Scroll down a little and you'll see the Account Lockout section...
There has been questions asked many times regarding this feature. Many customers thought they can use this OpenAM UI to configure the setting in their backend directory server (Sun DS, OpenDJ or even AD).
This is totally wrong assumption. OpenAM is not capable of and should not even be capable of managing the backend directory server. It only provides a generic authentication mechanism to authenticate with any backend directory server.