We have recently rolled out Zimbra 6.0.4 OSE to production, using Zimbra's own internal LDAP server for its own authentication (in other words, a standard out-of-the-box configuration).
We have a number of other applications that are currently talking to our old LDAP server but I am slowly transitioning them across to use Zimbra's directory for authentication. The problem we have encountered is that there is often a need for those applications to use LDAP in a way that Zimbra doesn't easily support. For example, some of the applications that we run insist on searching the directory for a user before binding as that user. Other applications run in to issues because of the fact that some attributes (like zimbraMailCanonicalAddress) aren't accessible for search/read even for the user that you are bound as.
I am aware that I can easily add additional LDAP users (service accounts) and modify ACLs but I am concerned that this might complicate upgrades; An upgrade may fail, or these manual changes may get clobbered and need to be re-applied.
Are there any "supported" ways of dealing with service accounts and ACL changes? What's the best way to ensure that upgrades won't break and we won't have to manually apply changes every time we change something?