Created attachment 24261 [details] Diff to allow for current server time to be injected into a filter. I've modified some of the source from the mod_authz_ldap project (http://authzldap.othello.ch/) and applied it to the native mod_authnz_ldap module (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). The code adds the ability to replace a special keyword of $t in a filter with the current server time in the format of YYYYMMDDhhmmss. This allows for a URL like: AuthLDAPURL "ldaps://server.company.com/ou=users,dc=company,dc=com?uid?sub?(expirationDate>=$tZ)" to result in a query being sent to the server similar to: (&(expirationDate>=200909140101Z)(uid=userj)) The code has not been heavily tested and my C skills have severely atrophied so the code should be carefully scrutinized before committing. The diff should be applied to modules/aaa/mod_authnz_ldap.c. Please let me know if you have any questions. Thanks.
I'm not that familiar with the LDAP AAA, so somebody else might have a better approach to solve your problem. Just looking at the patch, C89 doesn't allow new variable declarations in the middle of a block. Also, see if you can handle the cases where $ is followed by a character other than 't', or $ is at the end. There should also be a way to include a $ in the string if you really want one.
Created attachment 24263 [details] Better handles dollar sign in filter This version has variable declarations at the beginning of the method and should pass through any dollar signs ($) not followed by a dynamic tag (currently only t for the server timestamp).
(In reply to comment #2) > Created an attachment (id=24263) [details] > Better handles dollar sign in filter > > This version has variable declarations at the beginning of the method and > should pass through any dollar signs ($) not followed by a dynamic tag > (currently only t for the server timestamp). Have you thought about the implication of the cache here?
Certainly administrators would have to pay careful attention to their caching strategies and (server timezones for that matter) depending on the accuracy needed for any sort of expiration authorization.