Thanks. Applied a similar patch to cvs HEAD, after fixing a memory leak.

Reproducing the bug:

userPassword can exist without pwdChangedTime if you bypass ppolicy: Use slapadd to add an entry with userPassword, or add it to a subtree with no policy and then configure a policy.

Then set up ppolicy and use ldapmodify to delete userPassword.