|Summary:||Ability to Dynamically Inject Current Time Into a Filter|
|Product:||Apache httpd-2||Reporter:||Ray Gauss II <ray>|
|Component:||mod_authz_ldap||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|OS:||Mac OS X 10.4|
Diff to allow for current server time to be injected into a filter.
Better handles dollar sign in filter
Description Ray Gauss II 2009-09-14 09:17:11 UTC
Created attachment 24261 [details] Diff to allow for current server time to be injected into a filter. I've modified some of the source from the mod_authz_ldap project (http://authzldap.othello.ch/) and applied it to the native mod_authnz_ldap module (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). The code adds the ability to replace a special keyword of $t in a filter with the current server time in the format of YYYYMMDDhhmmss. This allows for a URL like: AuthLDAPURL "ldaps://server.company.com/ou=users,dc=company,dc=com?uid?sub?(expirationDate>=$tZ)" to result in a query being sent to the server similar to: (&(expirationDate>=200909140101Z)(uid=userj)) The code has not been heavily tested and my C skills have severely atrophied so the code should be carefully scrutinized before committing. The diff should be applied to modules/aaa/mod_authnz_ldap.c. Please let me know if you have any questions. Thanks.
Comment 1 Dan Poirier 2009-09-14 09:52:41 UTC
I'm not that familiar with the LDAP AAA, so somebody else might have a better approach to solve your problem. Just looking at the patch, C89 doesn't allow new variable declarations in the middle of a block. Also, see if you can handle the cases where $ is followed by a character other than 't', or $ is at the end. There should also be a way to include a $ in the string if you really want one.
Comment 2 Ray Gauss II 2009-09-14 11:51:16 UTC
Created attachment 24263 [details] Better handles dollar sign in filter This version has variable declarations at the beginning of the method and should pass through any dollar signs ($) not followed by a dynamic tag (currently only t for the server timestamp).
Comment 3 Eric Covener 2009-09-14 12:12:03 UTC
(In reply to comment #2) > Created an attachment (id=24263) [details] > Better handles dollar sign in filter > > This version has variable declarations at the beginning of the method and > should pass through any dollar signs ($) not followed by a dynamic tag > (currently only t for the server timestamp). Have you thought about the implication of the cache here?
Comment 4 Ray Gauss II 2009-09-14 12:21:16 UTC
Certainly administrators would have to pay careful attention to their caching strategies and (server timezones for that matter) depending on the accuracy needed for any sort of expiration authorization.