Here's what I'm seeing:

If a user's password is changed on the External LDAP server (Open-LDAP), both the old and the new passwords work. Other servers that authenticate against the same server don't have this problem, so it seems to be a Zimbra issue.

It's like Zimbra is caching passwords somewhere... Is there anyway this can be cleared so only the 'new' password works?