I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead
of
"invalid credentials" when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to the client the difference between the bind failing because of invalid credentials and failing because the account is locked, for security reasons.
Returning "account is locked" instead of "invalid credentials" simply tells an attacker that any further tries is a waste of time, can be used to know when to continue an attack (esp if the account unlocks after a bit of time, in which it also tells them how long the lockout is, so they can tune their attack to go right up to the limit and stop, allowing a more successful attack, etc).
By returning invalid credentials after the account is locked, you don't give an attacker more info to aid in his attack.
This is the same reason why login pages should never ever say things like "user doesn't exist", "password was wrong", "account is locked", etc - a well designed/secure login page will only say that whatever credentials were supplied are not valid for any unsuccessful login case.
Any other response gives away too much information.
- Jeff