MVPHello Bryan.
Check this:
https://devcentral.f5.com/s/question/0D51T00007BG1Pc/insert-client-ip-address-on-ldap-vs
Regards,
Dario.
MVPThanks. That is interesting but doesn't really help in a practical sense as you won't be able to correlate the source ip with the BIND request that actually locked out the account.
Hello Bryan.
It's not possible to inject source IP into an AD request, the same way as with HTTP XFF.
The only way is to disable automap.
In the link shows an example of how to log AD queries by user/real-IP to an external syslog server. Maybe it's a higher level of complexity than you were looking for, but if you find a way to let AD to check those logs before taking the decission to lockout some user, that would be a way to workaround your issue.
I know it's hard, but sometimes customer requirements are too unrealistic :-).
Regards,
Dario.
