From 8a0b05bfeb90fe401cbbbda87b39ca0fbeb79082 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 30 Jun 2009 12:12:53 +0000
Subject: [PATCH] ITS#6084 handle pwdAccountLockedTime values set into the
 future (i.e., lame way of setting an expiration date.)

---
 servers/slapd/overlays/ppolicy.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 10870f3755..8b374a8f87 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -338,14 +338,18 @@ account_locked( Operation *op, Entry *e,
 			time_t then, now;
 			Modifications *m;
 
-			if (!pp->pwdLockoutDuration)
-				return 1;
-
 			if ((then = parse_time( vals[0].bv_val )) == (time_t)0)
 				return 1;
 
 			now = slap_get_time();
 
+			/* Still in the future? not yet in effect */
+			if (now < then)
+				return 0;
+
+			if (!pp->pwdLockoutDuration)
+				return 1;
+
 			if (now < then + pp->pwdLockoutDuration)
 				return 1;
 
-- 
2.39.5