Unhack ACLs and Expiry date
If the member has not accepted the TOS, their expiry date is set way in the past so they cannot login. This is a hack and bad and ugly. Their account should expire wrt to their subscription, not the IT TOS (one can be member without having accepted the TOS and just not use the infra).
What should be done:
If a member has not accepted the TOS, they should not be in the rainbowdash-login LDAP group. Their account expiry date should be subscription-dependent and not TOS- and subscription- dependent.