K5expire is a tool to complement a Kerberos/LDAP server combination. It checks all kerberos principals per user in LDAP for password and/or account expiration and sends E-mails to the owner if they will expire in a preconfigured amount of time.
It started as a hack to emulate the behaviour of expiration found in pam_unix and Windows, but I believe this method to be less intrusive because it does not delay the login process.