Hello,
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question. I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system
have sssd setup as a client. Everything works fine with password expires,
grace periods, etc and sssd, if the user has to enter their password. But, if
the user is using an SSH public key, setting the account as locked or the
password is expired still allows them to log in. I can't seem to find a good
solution that forces the user to change their password before they can login.