If an account is locked using the nsAccountLock attribute, then LDAP will refuse to bind. This results in the messaging logic reporting to the user that their Username or Password is incorrect; a better outcome would be to tell them that their account has been locked and they need to contact support.
There is a read only LDAP account that can be used to test to see if an account has been disabled or locked. This would need to be performed in addition to the bind-as-user as the read only account cannot be used to validate user passwords.
If an account is locked using the nsAccountLock attribute, then LDAP will refuse to bind. This results in the messaging logic reporting to the user that their Username or Password is incorrect; a better outcome would be to tell them that their account has been locked and they need to contact support.
There is a read only LDAP account that can be used to test to see if an account has been disabled or locked. This would need to be performed in addition to the bind-as-user as the read only account cannot be used to validate user passwords.