OSX Server - LDAP / pwpolicy - How to disable a account?

Hi.

For some reason, Apple is great at just changing the syntax or path of <insert random feature here>.

And thus, I'm having trouble disabling (not locking a account, that seems to work fine by setting pwdLastSet to 0) which should disable the user from logging in.

The reason being is that i'm creating a scenario where:

* User tries to login 3 times -> Gets locked out

* A script running in the background unlocks the account after 30min or so

In between or even after the system adminitrator has a neat button to disable accounts and it shouldn't just lock out the accounts because that would sort of defeat the purpose of the script and the whole locked-out mechanism but rather disable the account all togeather rendering the users account invalid for logins even if the correct password is supplied and the account is unlocked/never locked in the first place.

Is this possible? and where do i get & set this value because it sure isn't stored in the LDAP directory any longer (or wasn't even in the first place?).

Script language: PHP

(Note: I come from a Unix and some what Windows background and finding things in OSX is more confusing than not since 80% of the guides and documentation is obsolete if you even manage to find any on the interwebs, hence why i need help with even the basic stuff as figuring out how and where the mechanics are for different password/account parts)