Following @DirkS 's hint via e-mail (many thanks and sorry Mr. Schnick, I first had to awkwardly extract the credentials to our email provider, as we’ve been using fetchmail for years and manage the passwords for direct access in a password manager, which was also no longer accessible…):
“Have you configured faillog or ppolicy lockout?”
I was sent in the right direction and followed the howto to disable the lockouts and now at least “univention-ldapsearch” works again…
This is already the second time that this howto gets us into big trouble.
I was absolutely not aware that this setting can cause such problems for the whole domain and according to me it is not mentioned or at least not clearly enough.