LDAP/SSSD with password policy overlays: possible to completely lock out accounts?
I am running OpenLDAP version 2.4 with the password policy overlay turned on. This appears to be working well, and I can set a policy that users can change their passwords every N days. However, one a password expires, the system will still accept it, but the user will be immediately prompted to change it. For various reasons, I would prefer that the account just be locked out. Is there any way to accomplish this? Most of the clients are Scientific Linux (RHEL clone) with a few Ubuntu boxes mixed in too. I'm interacting with the LDAP server via SSSD rather than nslcd or similar.