We are using open source version of hue 4.7.1 and have freeIPA as our auth backend. It has been working fine and we can restrict user login based on specific group. However we've noticed that hue is allowing users to login who's password is already expired.
Is there a way to block this? Are we missing a step somewhere in config?
Check the backend setting in Hue config. What is the full value under [[auth]] backend setting? Is it just LDAP or are there other backends listed?
You can also limit the groups that are able to login to Hue with [[ldap]] login_groups setting described here.
Also note that if a user is deleted from your directory, it is not automatically deleted from Hue. You can read more here. The same documentation page tells you how to setup debugging in Hue for LDAP troubleshooting. This may be helpful in your case.