From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 3 Aug 2021 21:45:02 +0000 (+0000)
Subject: ITS#9625 - Fix handling when pwdChangedTime is not present
X-Git-Tag: OPENLDAP_REL_ENG_2_6_0~126
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27a542437135bc5ea5a6d6923f7abf83b79c3c9c;p=thirdparty%2Fopenldap.git

ITS#9625 - Fix handling when pwdChangedTime is not present

Add a check to see if pwdChangedTime was actually present on the entry. If not, skip the expiry check.

Additionally change the debug log statement to TRACE instead of ANY, as the message is informational.
---

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index e684ae921f..56f638396d 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1809,8 +1809,13 @@ check_expiring_password:
 		 * If the password has expired, and we're in the grace period, then
 		 * we don't need to do this bit. Similarly, if we don't have password
 		 * aging, then there's no need to do this bit either.
+		 *
+		 * If pwdtime is -1 there is no password Change Time attribute on the
+		 * entry so we skip the expiry check.
+		 *
 		 */
-		if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1))
+		if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1) ||
+			(pwtime == -1))
 			goto done;
 
 		age = (int)(now - pwtime);
@@ -1829,7 +1834,7 @@ check_expiring_password:
 			warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */
 			if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */
 			
-			Debug( LDAP_DEBUG_ANY,
+			Debug( LDAP_DEBUG_TRACE,
 				"ppolicy_bind: Setting warning for password expiry for %s = %d seconds\n",
 				op->o_req_dn.bv_val, warn );
 		}