Question:

How can I identify a deactivated user

Answer:

You can identify a deactivated user in the ldap by

sambaAcctFlags → for SambaDisabled an additonal “D” is set
shadowExpire → for PosixDisabled this is value 1 instead of 0 or unset
and
krb5KDCFlags → for KerberosDisabled value 254 instead of 126

sambaAcctFlags is difficult to search via ldapsearch

sambaAcctFlags: [U ]
sambaAcctFlags: [UD ]

via udm there is the attribute disabled
disabled = 1
and you can identify the user is disabled with the “!” in the “normal” password hash.

password:
{crypt}!$6$gCDUiOL/mRCXeSNQ$o5zSkuHGMKa2nBWATIFZ.9asA.DIEzQl/MTpX7MBpfMhAub5407KWgcH/sc.U2/awqOHmJUDrqIccbpZzVB0n/
vs
password: {crypt}$6$gCDUiOL/mRCXeSNQ$o5zSkuHGMKa2nBWATIFZ.9asA.DIEzQl/MTpX7MBpfMhAub5407KWgcH/sc.U2/awqOHmJUDrqIccbpZzVB0n/