I believe you can set a 'hidden' operational attribute 'dxPwdLocked' in the user account to prevent the user from authenticating. To see this attributes value, you will have to specifically ask for it. Setting this attribute to 'true' should prevent the user from authenticating. You may need to enable CA Directory password policy configuration for it to work - I'm not sure (didn't have time to test).