If you enable password policy in your LDAP server and activate SOGo to use it, it'll do just that.

I don't want an account to be locked after N tries, I would like to have a penalty timeout for every wrong password.
Password lockouts are evil as there's a simple possibility to run DoS attacks to lock out thousands of accounts.

or did I miss something blatant concerning LDAP password policies?

A combination of pwdLockoutDuration, pwdMaxFailure and pwdFailureCountInterval would give you something very similar. No need to lock the account for a long time.

Pascal: also note that if a delay was to occur server-side because of this, this would also become prone to DoS attacks because of the process limits.

Solution "given" in the ticket - make use of password policy in the LDAP with proper password policy control attributes.