Based on Q269181, you can specify a filter attribute like this:
Which turns into something like this:
userAccountControl is the attribute used to store information about the user's password account information.
1.2.840.1135126.96.36.1993 is LDAP_MATCHING_RULE_BIT_AND so it should match every account that has only the value specified.
2 is the value for an account being locked out. This is a decimal bit-mask value specified in Q305144:
So in theory, by adding something like:
ACCOUNTDISABLE 0x2 2 # Account is disabled
NORMAL_ACCOUNT 0x0200 512 # Account is normal
DONT_EXPIRE_PASSWORD 0x10000 65536 # Account Password never expires
Should filter so that only active accounts that are not locked out will be returned by the ldap search. (...804) is the OR operation.
I haven't been able to find a combination that works, though. Has anyone else?