Try using a filter in sssd.conf.
ldap_access_order = filter
ldap_access_filter = (!(pwdAccountLockedTime=*))
Date: Mon, 10 Mar 2014 19:05:21 -0500
Subject: open(ldap|ssh) interaction
When using local accounts, ssh honors password expiration even if using
public key authentication. This is the case at least on HPUX, Solaris, and
various flavors of Linux. This is a good thing. I won't go through all the
security reasons why passwords should periodically change. Suffice to say
that they should and most companies have policies regarding password
When using openldap, however, if a user is configured to use public key
authentication, he is allowed access to the account regardless of the password
aging and/or pwdReset parameter.
Is there a way to force openssh to honor these settings like it does for
Test environment is centos6.5 running on a kvm tying into an openldap server
ver 2.4.23. My test environment is certainly following the symptoms of my
client's unboundid server supporting a variety of linux platforms - all rhel
based - from ver 4 through 6.
Any help greatly appreciated.
Senior UNIX/Security Admin
CISSP, CISA, RHCSA, CEH
O'Leary Computers Inc
dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749