Only calculate LDAP password grace when the password is expired

The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c

@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     Slapi_ValueSet *values = NULL;
     long grace_limit = 0;
     int grace_user_time;
-    char *pwd_expiration = NULL;
+    char *tmpstr = NULL;
+    time_t pwd_expiration;
     int pwresponse_requested = 0;
     Slapi_PBlock *pbtm = NULL;
     Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     }
     slapi_value_free(&objectclass);
 
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
-    if (pwd_expiration == NULL) {
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+    if (tmpstr == NULL) {
         /* No expiration means nothing to do */
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
         goto done;
     }
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+    if (pwd_expiration > time(NULL)) {
+        /* Not expired, nothing to see here */
+        goto done;
+    }
 
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
                                     &values, &actual_type_name,