We are running FreeIPA to handle authentication, and having an issue. We have a few tools that can not use the full IPA stack (PAM/SSSD/Kerberos), but instead have to talk to the underlying LDAP server directly. The problem we are facing is when user passwords expire, those users are still granted access to these tools that only use LDAP. In researching this issue, I ran into
https://pagure.io/freeipa/issue/1539 - which seems to be related. Is this still a known issue? Is there any way around it (like being able to automatically disable any user who's password has been expired for a certain period of time? This is within a PCI-compliant infrastructure, so we have to make sure we cover all bases.