Description of problem: As per https://www.redhat.com/archives/freeipa-users/2009-June/msg00040.html it might in some cases be useful to allow cached entries to expire also when offline. For example, an organization may have a policy that all users must change they passwords twice a month - in that case it would be non-compliant that a user can keep using his password "forever" if offline. Additional info: https://www.redhat.com/archives/freeipa-users/2009-June/msg00040.html
Ok, here we have 2 separate issues. one is the user/groups cache, another is the credentials cache (hashed, cached password). What we need to "expire" are only credential caches. It should be harmless to keep around user/group caches.
Since this is upstreamed at https://fedorahosted.org/sssd/ticket/60 I'll close this one. Thanks.