ITS#9625 - Fix handling when pwdChangedTime is not present

Add a check to see if pwdChangedTime was actually present on the entry. If not, skip the expiry check.

Additionally change the debug log statement to TRACE instead of ANY, as the message is informational.

servers/slapd/overlays/ppolicy.c

@@ -1809,8 +1809,13 @@ check_expiring_password:
 		 * If the password has expired, and we're in the grace period, then
 		 * we don't need to do this bit. Similarly, if we don't have password
 		 * aging, then there's no need to do this bit either.
+		 *
+		 * If pwdtime is -1 there is no password Change Time attribute on the
+		 * entry so we skip the expiry check.
+		 *
 		 */
-		if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1))
+		if ((ppb->pp.pwdMaxAge < 1) || (pwExpired) || (ppb->pp.pwdExpireWarning < 1) ||
+			(pwtime == -1))
 			goto done;
 
 		age = (int)(now - pwtime);
@@ -1829,7 +1834,7 @@ check_expiring_password:
 			warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */
 			if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */
 			
-			Debug( LDAP_DEBUG_ANY,
+			Debug( LDAP_DEBUG_TRACE,
 				"ppolicy_bind: Setting warning for password expiry for %s = %d seconds\n",
 				op->o_req_dn.bv_val, warn );
 		}