ITS#9625 - Fix handling when pwdChangedTime is not present

Add a check to see if pwdChangedTime was actually present on the entry. If not, skip the expiry check.

Additionally change the debug log statement to TRACE instead of ANY, as the message is informational.

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index e684ae921f3f2f36b1837791a585afd83ec6b002..56f638396d08ffcd0e4624d9b914c8a2797a19c0 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1809,8 +1809,13 @@ check_expiring_password:
                 * If the password has expired, and we're in the grace period, then
                 * we don't need to do this bit. Similarly, if we don't have password
                 * aging, then there's no need to do this bit either.
+                *
+                * If pwdtime is -1 there is no password Change Time attribute on the
+                * entry so we skip the expiry check.
+                *
                 */
-               if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1))
+               if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1) ||
+                       (pwtime == -1))
                        goto done;
 
                age = (int)(now - pwtime);
@@ -1829,7 +1834,7 @@ check_expiring_password:
                        warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */
                        if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */
                        
-                       Debug( LDAP_DEBUG_ANY,
+                       Debug( LDAP_DEBUG_TRACE,
                                "ppolicy_bind: Setting warning for password expiry for %s = %d seconds\n",
                                op->o_req_dn.bv_val, warn );
                }