We have requirements to accomplish two things where access to data should be readily available is not because it is stored in the password blob. We need to send emails to users 2 weeks before their password expires. We have devised a workaround by using an additional attribute and a PX to set it whenever a password is changed. The problem is that if the password policy ever changes, this PX also needs to change (documentation, redundant functionality and repetition).
We also have a requirement to monitor last login and email people 2 weeks ahead of being disabled for inactivity. Last login is right there in the password blob, but we can't get to it, so we're trying to come up with a workaround like enabling dxPwdLoginTime in CA Directory. But I'm not sure how to enable access to that from an IdM PX. Plus this should not be a thing because SSO/IdM has the value sitting in the password blob.
I was just wondering if there is a hidden LAH or anything that can be used to gain access to this data which should be readily available to IdM in the first place?