Better yet is to support the sAMAccountType / userAccountControl attributes used by Active Directory. The only catch is that, for these to be useful, you really need to implement the bitwise LDAP matching rules. We implemented that for OpenLDAP, so if you're using the latest version (2.1.??) it should work.
-- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com