It looks like Phone Apps are somehow causing the usermanager to auth to our AD server (tested with App-Status). Since the passwords of individual users other than your ldap reader aren’t stored in your database… such checks are not only doomed to fail. They also lockout our users who are just trying to use the cool phone apps!
I’m assuming that the PhoneApps module is invoking the CheckCredentials in Userman.class.php, when it should be using the Msad2.php version of the function. But I do not actually know PHP and can’t dig into the PhoneApps commercial module.
All our phones are P3xx series phones, so unfortunately switching to XML-API apps is not an option to troubleshoot this.