CAS LPPE currently examines OpenLDAP or AD attributes to determine when the password expires.
Unfortunately, the IBM Tivoli Directory Server I'm using doesn't support these attributes.
It does however support the proposed LDAP Password Policy standard, see:
I propose creating an LdapPasswordPolicyExaminer (for CAS 4) that examines the passwordPolicyRequest control response to determine account state.
Support for this control type is already in the spring-security-ldap library.
The ContextSource and/or LdapPasswordPolicyAwareAuthenticationHandler will need to be modified too to send the control request and to store the control response so the examiner can access it.
AFAIK both OpenLDAP and AD support this method too, so I would even recommend making this the default LPPE implementation.