please add steps to reproduce and verify with RHDS or openLDAP

Veifying the loginDisabled and loginExpiration time should be easy, they are well documented and as far as LDAP goes they are just strings. 

In both cases, you can either extend the schema to really contain the new attributes or, which may be simpler, use another attribute (say, gecos, or description) and simply set an override on the config option, like this:

ldap_user_nds_login_disabled = gecos

the above would fetch the loginDisabled data from the gecos attribute.

The loginDisabled attribute is just a string that contains a boolean true/false value. So when you set it to "true", access should be denied. In the logs you should see messages from sdap_account_expired_nds().

The loginExpirationTime is a date-and-time field (UTC) representing when will be the account expired, If you're past this date, you shouldn't be allowed to login.
The format is YYYYMMDDHHMMSS, for instance 20130319194530 would mean that a user can only login until 2013-Mar-19 19:45:30.

As stated in the opening ticket, the loginAllowedTimeMap is harder and actually supporting it might be a nice-to-have. The attribute is a binary one. It is a bitmap that consists of 42 bytes (336 bits) representing 30-minutes intervals in a week. A good start would be to make sure that all zeroes always deny access and all ones always allow access. You should use base64 -d to encode the binary blob into base64 format and then load the attribute with a double-colon (loginAllowedTimeMap:: blob).

If either of these attributes is missing completely, access is granted.