ofI can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead"invalid credentials" when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to the client the difference between the bind failing because of invalid credentials and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.