Novell eDirectory 8.8 for NetWare 6.5
When an LDAP client attempts to authenticate to a server where
the command "disable login" has been issued, the bind will fail
with an error -254. This behavior is correct. However, if the
authenticating user belongs to a container where "Intruder
detection" is configured, the attempt to bind to server will cause
the intruder count to be increased, eventually leading to the
account being locked.
Note that the same client attempting to log in with an NCP client will not cause the intruder count to increase.
If there are certain accounts that are more susceptible to be affected by this behavior (like service accounts that monitor the server regularly through LDAP) it is possible to implement a simple workaround to prevent this problem. The solution would be to create a Universal Password Policy that removes the NDS password and sets the Simple password. This way the LDAP bind will be performed through NMAS and the problem will not occur.
If the system is running eDirectory 8.8 or above, then it is also possible to set the environment variable "NDSD_TRY_NMASLOGIN_FIRST" to true and the implement a Universal Password policy that affects the desired users, in order to force the bind to go through the NMAS libraries.
Refer to section 4.2"How to Make Your Password Case-Sensitive" in the eDirectory documentation to set this variable.