Try using a filter in sssd.conf.

Something like

ldap_access_order = filter
ldap_access_filter = (!(pwdAccountLockedTime=*))


-Mike


> Date: Mon, 10 Mar 2014 19:05:21 -0500
> From: dkoleary@olearycomputers.com
> To: openldap-technical@openldap.org
> Subject: open(ldap|ssh) interaction
>
> Hey;
>
> When using local accounts, ssh honors password expiration even if using
> public key authentication. This is the case at least on HPUX, Solaris, and
> various flavors of Linux. This is a good thing. I won't go through all the
> security reasons why passwords should periodically change. Suffice to say
> that they should and most companies have policies regarding password
> expiration.
>
> When using openldap, however, if a user is configured to use public key
> authentication, he is allowed access to the account regardless of the password
> aging and/or pwdReset parameter.
>
> Is there a way to force openssh to honor these settings like it does for
> local accounts?
>
> Test environment is centos6.5 running on a kvm tying into an openldap server
> ver 2.4.23. My test environment is certainly following the symptoms of my
> client's unboundid server supporting a variety of linux platforms - all rhel
> based - from ver 4 through 6.
>
> Any help greatly appreciated.
>
> Doug O'Leary
> ------------
> Senior UNIX/Security Admin
> CISSP, CISA, RHCSA, CEH
> O'Leary Computers Inc
> dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
> linkedin: http://www.linkedin.com/in/dkoleary
> resume: http://www.olearycomputers.com/resume.html
>