Unlocking LDAP accounts using passwd

So I’m trying to setup a LDAP server and it seems to have all gone pretty well. I set it so that users that type their passwords wrong 5 times are locked out for 20 minutes. That works fine, but if I want to log on as an admin and unlock their account before that 20 minutes is up it isn’t working.

Normally, (authenticating locally)

passwd -u blank888

works and does what I want it to. If I want passwd to recognize the LDAP server I use

passwd -D cn=Administrator,dc=example,dc=com -u blank888

When I run that, it always asks for the admin password like it should, but then will only work on some accounts and not others. Mainly I’ve seen that it only works on accounts that already had local accounts before connecting to the LDAP server.

If I run a passwd -Sa command I will get something like:
blank888 LK 07/18/2011 0 999 7 -1
blank888 LK 07/18/2011 0 999 7 -1
test LK

blank888 already had an account on the machine, but also had a LDAP account along with test. So blank888 is showing twice because he has both LDAP and local accounts, whereas test only has a LDAP account. So now if they both get locked out passwd -D $adminDN -u $account will work for blank888 but not test. Then the results of a passwd -Sa would be:
blank888 PS 07/18/2011 0 999 7 -1
blank888 PS 07/18/2011 0 999 7 -1
test LK

I need to be able to unlock test using passwd. The LDAP server is running 11.2, and the hosts are running various Linux distros, and XP.
Can anything think of a way to fix this without removing the LDAP server, adding local accounts for everyone, and then putting the LDAP server back on?


Also, I can get passwd to work with LDAP accounts when I’m trying to lock accounts, change login shells, and change passwords. Unlocking accounts is the only thing that passwd -D won’t do.

This is a great question. I’m curious if anyone knows how to do this.