From: Howard Chu <hyc@openldap.org>
Date: Tue, 3 Oct 2006 09:25:54 +0000 (+0000)
Subject: ITS#4692 entries without pwdChangedTime attribute have non-expiring pw
X-Git-Tag: OPENLDAP_REL_ENG_2_3_MP~84
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e9ecaa5d81437d292bd8641db7fb9bb513d61ff3;p=openldap

ITS#4692 entries without pwdChangedTime attribute have non-expiring pw
---

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index d73851aed2..68216d445a 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1014,26 +1014,12 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
 			 * we now check whether the password has expired.
 			 *
 			 * We can skip this bit if passwords don't age in
-			 * the policy.
+			 * the policy. Also, if there was no pwdChangedTime
+			 * attribute in the entry, the password never expires.
 			 */
 			if (ppb->pp.pwdMaxAge == 0) goto grace;
 
-			if (pwtime == (time_t)-1) {
-				/*
-				 * Hmm. No password changed time on the
-				 * entry. This is odd - it should have
-				 * been provided when the attribute was added.
-				 *
-				 * However, it's possible that it could be
-				 * missing if the DIT was established via
-				 * an import process.
-				 */
-				Debug( LDAP_DEBUG_ANY,
-					"ppolicy_bind: Entry %s does not have valid pwdChangedTime attribute - assuming password expired\n",
-					e->e_name.bv_val, 0, 0);
-				
-				pwExpired = 1;
-			} else {
+			if (pwtime != (time_t)-1) {
 				/*
 				 * Check: was the last change time of
 				 * the password older than the maximum age