Bug 47838 - Ability to Dynamically Inject Current Time Into a Filter
Summary: Ability to Dynamically Inject Current Time Into a Filter
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_ldap (show other bugs)
Version: 2.5-HEAD
Hardware: Macintosh Mac OS X 10.4
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-14 09:17 UTC by Ray Gauss II
Modified: 2009-09-14 12:23 UTC (History)
1 user (show)



Attachments
Diff to allow for current server time to be injected into a filter. (1.59 KB, application/octet-stream)
2009-09-14 09:17 UTC, Ray Gauss II
Details
Better handles dollar sign in filter (1.86 KB, patch)
2009-09-14 11:51 UTC, Ray Gauss II
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ray Gauss II 2009-09-14 09:17:11 UTC
Created attachment 24261 [details]
Diff to allow for current server time to be injected into a filter.

I've modified some of the source from the mod_authz_ldap project
(http://authzldap.othello.ch/) and applied it to the native mod_authnz_ldap
module (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html).

The code adds the ability to replace a special keyword of $t in a filter with
the current server time in the format of YYYYMMDDhhmmss.

This allows for a URL like:

AuthLDAPURL
"ldaps://server.company.com/ou=users,dc=company,dc=com?uid?sub?(expirationDate>=$tZ)" 

to result in a query being sent to the server similar to:

(&(expirationDate>=200909140101Z)(uid=userj))

The code has not been heavily tested and my C skills have severely atrophied so
the code should be carefully scrutinized before committing.

The diff should be applied to modules/aaa/mod_authnz_ldap.c.

Please let me know if you have any questions.  Thanks.
Comment 1 Dan Poirier 2009-09-14 09:52:41 UTC
I'm not that familiar with the LDAP AAA, so somebody else might have a better approach to solve your problem.

Just looking at the patch, C89 doesn't allow new variable declarations in the middle of a block.  Also, see if you can handle the cases where $ is followed by a character other than 't', or $ is at the end.  There should also be a way to include a $ in the string if you really want one.
Comment 2 Ray Gauss II 2009-09-14 11:51:16 UTC
Created attachment 24263 [details]
Better handles dollar sign in filter

This version has variable declarations at the beginning of the method and should pass through any dollar signs ($) not followed by a dynamic tag (currently only t for the server timestamp).
Comment 3 Eric Covener 2009-09-14 12:12:03 UTC
(In reply to comment #2)
> Created an attachment (id=24263) [details]
> Better handles dollar sign in filter
> 
> This version has variable declarations at the beginning of the method and
> should pass through any dollar signs ($) not followed by a dynamic tag
> (currently only t for the server timestamp).

Have you thought about the implication of the cache here?
Comment 4 Ray Gauss II 2009-09-14 12:21:16 UTC
Certainly administrators would have to pay careful attention to their caching strategies and (server timezones for that matter) depending on the accuracy needed for any sort of expiration authorization.