What is the SSSD approach to allowing a user to only login when its backend if offline?

I currently have an OpenLDAP server that I authenticate against via SSSD and PAM to login. Normally, I can log into my machines with the accounts stored in LDAP, however, I would like to still be able to log into those machines even if my LDAP server is not online. I want to have an emergency user that is able to login when LDAP is not online, but I don't want the emergency user to be able to log in when LDAP is online. I don't want to cache credentials and I can't guarantee that the account will have been used to login before LDAP is offline.

What I am currently doing that doesn't work is having a locked account in LDAP for the emergency user. So if someone tries to login as the emergency user it will fail. The emergency user is disabled by the setting `ldap_access_order` to `expire`. Unfortunately, when LDAP is offline, the emergency user still has the locked attribute since the user's attributes are cached. So the emergency user still fails to login.

So my questions are:

1. SSSD is caching my user information (not credentials) when my LDAP server is offline. Is there a way to not cache user information or drop it after a set amount of time? I don't think there is a way, but I want to ask. I also don't think that this is the SSSD mindset, which leads to my next question.

2. What is the SSSD way to allow a user to only login when its backend is offline? Is there a way to do special things when a backend if offline? Instead of locking the account through a client-side 'access' check, should I be doing this through a server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid approach to begin with?

I am sure there is a good way to do this, I just don't know enough to figure it out.

Thanks,

Kevin