I noticed this error popping up in my IdP logs (NAM 5.0.1):
"Error updating user accout status after calling Login Policy Check LDAP Extension for user cn=xxx,o=xxx on user store MYTREE. Error code: -659."
The incorrect spelling of account is how it appears in the logs as well.
The user store is eDir and the proxy user has Entry Browse, All Attribute Read/Compare, and WRITE to ACL and the OAuth grant attribute. What other rights are needed for the proxy user? I really don't want to just give it wide open admin rights (Entry Supervisor) if I can avoid it. But I cannot find any docs that indicate what else is needed?