Error updating user accout status after calling Login Policy Check LDAP Extension

I noticed this error popping up in my IdP logs (NAM 5.0.1):

"Error updating user accout status after calling Login Policy Check LDAP Extension for user cn=xxx,o=xxx on user store MYTREE. Error code: -659."

The incorrect spelling of account is how it appears in the logs as well.

The user store is eDir and the proxy user has Entry Browse, All Attribute Read/Compare, and WRITE to ACL and the OAuth grant attribute.  What other rights are needed for the proxy user? I really don't want to just give it wide open admin rights (Entry Supervisor) if I can avoid it.  But I cannot find any docs that indicate what else is needed?

Matt