My company uses OpenLDAP for user authentication in the datacenter and ran across a strange problem that seems very similar to this. It was present in at least OpenLDAP 2.4.16. We tracked it down to a weird problem in the password policy overlay. If I recall right it was the password policy overlay was returning a successful response to updating the last failed login time attribute but that was being passed up and causing binds to return true also. Our solution was to remove the password policy overlay and we have not gone back to revisit it.
I do not know if OpenLDAP in Lion uses the password policy overlay but if it does it would be an easy test to disable it and see if the problem persists. I post here because I don't really feel like registering to a Mac related forum that I will only post once on. I hope someone finds this and finds it useful.
Time is the most valuable thing a man can spend. -- Theophrastus