Looking to temporarily spoil a PKI cert in OpenLdap
 

I'm running OpenLDAP v 2.4.44 on Red Hat 7/8.

Background
We have 3 web applications that require passwordless authentication to access.
Two of these applications use UserID, the public PKI key, and look for membership in the proper group for access.
The third just checks the UserID and membership in the appropriate group.

There is no requirement to log in to our network. These URLs are available remotely, however the user must still have an account on our system.

Lockouts
If a user hasn't logged in for a while, one of our sysadmins will "lock" their account in LDAP. This is done either by changing their password or setting the pwdAccountLockoutTime in their LDAP record.

We have noticed that OpenSSH (v7.4) does not consult LDAP before allowing access. Therefore, locked users who use SSH keys to log in to the system are still granted access.

To prevent this, we are temporarily adding 2 dashes '--' to their login shell name. i.e. /bin/ksh becomes --/bin/ksh. This prevents them from logging in.

When the user calls to 'complain,' we politely remind them that they need to log in periodically to prevent lockouts & deletions. We then unlock the account and 'un-mangle' the login shell.

The Problem
Locking the users account in the manner does not prevent access to the Web Apps.

The initial thought is to 'mangle' or somehow temporarily invalidate their PKI key. This would need to be done in a controllable way so it can be easily undone.

This would at least prevent access to the first 2 Web Apps.

Question
Can this be done? IF so, how?
Is there another way to do this?

Thanks,
-S

I was not able to find a way to temporarily spoil the PKI cert. I did find a way to re-name the user, which thereby manes the user record cannot be found == no pki cert.