From e9ecaa5d81437d292bd8641db7fb9bb513d61ff3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 3 Oct 2006 09:25:54 +0000
Subject: [PATCH] ITS#4692 entries without pwdChangedTime attribute have
 non-expiring pw

---
 servers/slapd/overlays/ppolicy.c | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index d73851aed2..68216d445a 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1014,26 +1014,12 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
 			 * we now check whether the password has expired.
 			 *
 			 * We can skip this bit if passwords don't age in
-			 * the policy.
+			 * the policy. Also, if there was no pwdChangedTime
+			 * attribute in the entry, the password never expires.
 			 */
 			if (ppb->pp.pwdMaxAge == 0) goto grace;
 
-			if (pwtime == (time_t)-1) {
-				/*
-				 * Hmm. No password changed time on the
-				 * entry. This is odd - it should have
-				 * been provided when the attribute was added.
-				 *
-				 * However, it's possible that it could be
-				 * missing if the DIT was established via
-				 * an import process.
-				 */
-				Debug( LDAP_DEBUG_ANY,
-					"ppolicy_bind: Entry %s does not have valid pwdChangedTime attribute - assuming password expired\n",
-					e->e_name.bv_val, 0, 0);
-				
-				pwExpired = 1;
-			} else {
+			if (pwtime != (time_t)-1) {
 				/*
 				 * Check: was the last change time of
 				 * the password older than the maximum age
-- 
2.39.5