From 27a542437135bc5ea5a6d6923f7abf83b79c3c9c Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Tue, 3 Aug 2021 21:45:02 +0000 Subject: [PATCH] ITS#9625 - Fix handling when pwdChangedTime is not present Add a check to see if pwdChangedTime was actually present on the entry. If not, skip the expiry check. Additionally change the debug log statement to TRACE instead of ANY, as the message is informational. --- servers/slapd/overlays/ppolicy.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index e684ae921f..56f638396d 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -1809,8 +1809,13 @@ check_expiring_password: * If the password has expired, and we're in the grace period, then * we don't need to do this bit. Similarly, if we don't have password * aging, then there's no need to do this bit either. + * + * If pwdtime is -1 there is no password Change Time attribute on the + * entry so we skip the expiry check. + * */ - if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1)) + if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1) || + (pwtime == -1)) goto done; age = (int)(now - pwtime); @@ -1829,7 +1834,7 @@ check_expiring_password: warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */ if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */ - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "ppolicy_bind: Setting warning for password expiry for %s = %d seconds\n", op->o_req_dn.bv_val, warn ); }