Okay, new to OpenLDAP, have managed to setup a meta backend/proxy to multiple Active Directory systems that is doing everything I need with one exception.  I can't figure out a reliable way to filter out disabled accounts on the AD side.  I know how to query this directly against AD of course (NOT UserAccountControl:1.2.840.113556.1.4.803:=2), but after a lot of searching and head scratching I'm not sure how to implement this in my slapd.conf - or even just allow the filter (if specified by a client) to pass through:

My original filter: "(&(objectclass=inetOrgPerson)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
From slapd debug output, after passing through the parser: "(objectClass=user)(!(!(objectClass=*)))(?=error)" 

As you can see, objectClass inetOrgPerson is mapped to User (and I've got some work to do on the Computer objectClass too) but the UserAccountControl bitwise flag is the part I'm hung up on right now.