[Samba] prevent ldap bind for specific user

[lists]

Hi,

We are looking for ways to limit the logon options for a specific user. 
We have configured "logon hours" and "logon to".

We noticed however that this dis not prevent the user from accessing 
ldap-authenticated services. (such as our intranet, etc)

Is there a way to configure samba to disallow ldap binds completely for 
a specific user?

Thanks for suggestions!

MJ