by chance I realized that an OpenLDAP server does not list all controls
it can handle in the rootDSE attribute supportedControl.
Especially LDAP_CONTROL_PASSWORDPOLICY is not listed. According to the
OpenLDAP developers this is because the related spec
still a draft and not finalized
Since sssd only uses controls which are in the supportedControl list we
will not be able to give the user expiration warnings or information
about grace logins for OpenLDAP servers with the password policy overlay
I'm not sure if we need to do anything about it but at least I think it
is good to be aware of.