We've been using the Zimbra LDAP directory as a central authentication service within our company, to provide authentication to Unix shell accounts, Windows via Samba and Web access.

One problem is that when an account is marked as locked or closed in Zimbra is is still possible for it to bind to the LDAP directory and therefore access everything except Zimbra. We therefore have to change a user's password when they leave, which means more work for me and that it's harder to temporarily suspend an account.

I think one way round this would be to put an acl in the slapd.conf.in to prevent entries with zimbraAccountStatus set to closed or locked from binding - but this doesn't seem to be possible (although the acl syntax is quite complex!).

Has anybody else found a way round this?