Locked accounts are a terrible terrible idea. All they do is hand attackers an easy DOS vulnerability. They're pure security theatre if your authentication isn't vulnerable to brute force attacks and an unreliable band-aid if they are.
Having dealt with mechanisms for locking accounts in other database they're much more complicated than they appear. You need to deal with different requirements for different users, have multiple knobs for how it triggers and resolves, have tools for auditing the connection attempts to determine if they're legitimate and identify where the incorrect attempts are coming from, and so on. And all that accomplishes in the best case scenario is having lots of busy-work support requests responding to locked accounts and in the worst case scenario upgrading minor issues into major service outages.