For Windows clients this is actually a feature of the client operating system, not of the server side. The client simply evaluates the data present in the Active Directory LDAP and acts accordingly. You usually configure them to show such a prompt via a group policy (see e.g. this article.
In a UCS AD domain that password expiry data is definitely present in the AD LDAP, and that’s pretty much about all Univention can do at that point as neither LinuxMint nor macOS are Univention’s own products (obviously).
The use is to have the server change the password. As far as I remember the web-based Self Service provided by Univention should still allow changing the password even if it’s expired if I’m not mistaken (but don’t take my word).
For this particular type of operation there isn’t that much UCS-specific to observe. Personally I’d write a script in Perl or Ruby (as those are generally my preferred scripting languages) as working with LDAP is easier in “real” scripting languages compared to shell scripts.
Nothing UCS-specific, no, just the standard Linux tools. You can execute that as a cron job or via a systemd timer unit, whatever you prefer (personally I tend to use systemd timer units as listing all available jobs and when they’re going to be executed with
systemctl list-timers can be rather helpful).
One thing to note is that in OpenLDAP and Samba4 LDAP have different ways of storing the password policy settings. If you’re working with the OpenLDAP side, you can use the
univention-policy-result tool in order to find out the UCS password policy applying to a particular user. Here’s an example:
[0 root@master ~] univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret uid=passwordexpiry,cn=users,$(ucr get ldap/base)
You can use that information together with the date when the password was last set (OpenLDAP attribute
In the AD LDAP part things are stored differently. I don’t know the details from the top of my head, but as UCS provides a standard AD LDAP scheme you should have no difficulties finding out the way they’re stored using your favorite search engine.