Okay, new to OpenLDAP, have managed to setup a meta backend/proxy to multiple Active Directory systems that is doing everything I need with one exception.  I can&#39;t figure out a reliable way to filter out disabled accounts on the AD side.  I know how to query this directly against AD of course (NOT UserAccountControl:1.2.840.113556.1.4.803:=2), but after a lot of searching and head scratching I&#39;m not sure how to implement this in my slapd.conf - or even just allow the filter (if specified by a client) to pass through:<div>

<br></div><div><div>My original filter: &quot;(&amp;(objectclass=inetOrgPerson)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))&quot;</div></div><div>From slapd debug output, after passing through the parser: &quot;(objectClass=user)(!(!(objectClass=*)))(?=error)&quot; </div>

<div><br></div><div>As you can see, objectClass inetOrgPerson is mapped to User (and I&#39;ve got some work to do on the Computer objectClass too) but the UserAccountControl bitwise flag is the part I&#39;m hung up on right now.</div>

<div><br></div>