Im looking for an authentication solution for AIX and Linux/CentOS servers that integrates with LDAP/AD. It should allow the users to login to an AIX server and get notified that their password has expired and allow them to change it from the AIX ssh.
Not sure if you've looked at this but thought I'd give it a shot
I use Apache Directory Server (DS). Very stable.
You could also try: https://www-01.ibm.com/support/docview.wss?uid=isg3T1027699
I strongly recommend the FreeIPA project that runs on Linux, you configure AIX clients REF:https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients
This solution will offer bi-direction sync and password sync, with Active Directory, no trusts required. You can also add MFA to FreeIPA for stronger authentication.
These days we always use MS AD to centralise authn/authz through something like sssd or samba, primarily because we rarely deploy into an environment where there is not already an existing AD for desktop or windows servers.
Yes, a lot of organisations do this. However, what I find is where you need a robust front end, and policy enforcement, we tend to put in a reference architecture based on Webseal Proxy via IBM Security Access Manager (ISAM) along with IBM Security Directory Server (ISDS), we often integrate for management purposes, then use integration with Microsoft AD to maintain separation of duties between users and the management (delivery teams). Of course, these days you can also use cloud based services like Okta for federation purposes as well. Of course, it all depends on the Enterprise Architecture related decisions and the nature of the business etc.