From: Howard Chu <hyc@openldap.org>
Date: Tue, 30 Jun 2009 12:12:53 +0000 (+0000)
Subject: ITS#6084 handle pwdAccountLockedTime values set into the future (i.e.,
X-Git-Tag: ACLCHECK_0~468
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=8a0b05bfeb90fe401cbbbda87b39ca0fbeb79082;p=openldap

ITS#6084 handle pwdAccountLockedTime values set into the future (i.e.,
lame way of setting an expiration date.)
---

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 10870f3755..8b374a8f87 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -338,14 +338,18 @@ account_locked( Operation *op, Entry *e,
 			time_t then, now;
 			Modifications *m;
 
-			if (!pp->pwdLockoutDuration)
-				return 1;
-
 			if ((then = parse_time( vals[0].bv_val )) == (time_t)0)
 				return 1;
 
 			now = slap_get_time();
 
+			/* Still in the future? not yet in effect */
+			if (now < then)
+				return 0;
+
+			if (!pp->pwdLockoutDuration)
+				return 1;
+
 			if (now < then + pp->pwdLockoutDuration)
 				return 1;