Firstly, apologies if this isnt appropriate for this mailing list. This was the only sssd mailing list I could find.
I'm trying to migrate a RHEL5 box from pam_ldap to sssd (version 1.5.1, official redhat package) and am having an issue getting shadow attributes working. For testing I set a shadowExpire attribute on my account in LDAP. pam_ldap obeys this correctly and will not let me log in (trying with ssh public key as the server enforces the password policy). I have added the following settings to the ldap domain to try and get this to work;
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = shadow

But the box sill lets me log in. For testing to make sure pam was working, I set 'ldap_access_order=filter' without setting ldap_access_filter, and it properly rejected my login.

Googling the subject only turns up the man page and the patch set where these settings were added.
Any ideas what I'm missing here?

Thanks