I had a similar issue where accounts set to "never" expire generated an expired account activity alert because as illustrated by jstoner above, the Expired Identities object matches all values.
Instead of changing the data model I set endDate to a null value where accountExpires=(never)
| eval endDate=if(accountExpires="(never)","",accountExpires)
rich7177 has a good example of an ldap search that exports nicely to ES here.
https://answers.splunk.com/answers/400373/how-to-speed-up-ldap-active-directory-searches-spe.html
... View more