The generic approach we discussed to take is:
 - use a coarse timestamp which is only updated once a day or a defined period of time (1hr, 8hr, etc)
 - replicate this timestamp instead of krblastsuccessfulauth
 - write a 389-ds plugin that uses the new timestamp attribute to decide on lockout
 - potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase
 - For the defined period of time, may be, add it to a password policy definition so that it is tracked in a single place

*** Bug 1273040 has been marked as a duplicate of this bug. ***

Any progress on this most interesting RFE?

Will this feature ever be available for IDM on RHEL8 or even to RHEL9? The initial request is already from 2018 ... It is also part of the FreeIPA design document for several years now.

This feature is currently not considered for development in near future due to other, more pressing tasks.

https://freeipa.readthedocs.io/en/latest/designs/disable-stale-users.html describes a potential design but is not implemented.
As described in the design document, there is no good way to identitify activity of users for all supported authentication scenarios in FreeIPA.
One common use case that cannot be handled is ssh private key authentication without use of Kerberos or LDAP authentication.