Perhaps there is a more "natural" way for storing the account/group flag information in LDAP. What about making acctFlags/groupFlags a multi-valued attribute? It would be easier for provisioning applications to perform modifications. It would also open the door for more useful searches. (acctFlag="D") etc..
ie: acctFlag: X acctFlag: U instead of- acctFlags: [UX ]
