This is an automated email from the ASF dual-hosted git repository.
zihaoxiang pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
The following commit(s) were added to refs/heads/dev by this push:
new 4d72bc4624 [Fix-17797][Helm] fix broken LDAP auth and missing search
filter (#17802)
4d72bc4624 is described below
commit 4d72bc462491b932c4948830a642a58c6b8aaa9d
Author: docherak <[email protected]>
AuthorDate: Mon Dec 22 03:31:45 2025 +0100
[Fix-17797][Helm] fix broken LDAP auth and missing search filter (#17802)
---
deploy/kubernetes/dolphinscheduler/README.md | 5 +++--
deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl | 10 ++++++----
deploy/kubernetes/dolphinscheduler/values.yaml | 10 ++++++----
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/deploy/kubernetes/dolphinscheduler/README.md
b/deploy/kubernetes/dolphinscheduler/README.md
index 627f218148..0ca2806044 100644
--- a/deploy/kubernetes/dolphinscheduler/README.md
+++ b/deploy/kubernetes/dolphinscheduler/README.md
@@ -306,8 +306,9 @@ Please refer to the [Quick Start in
Kubernetes](../../../docs/docs/en/guide/inst
| security.authentication.ldap.ssl.jksbase64content | string | `""` | LDAP jks
file base64 content. If you use macOS, please run `base64 -b 0 -i
/path/to/your.jks`. If you use Linux, please run `base64 -w 0
/path/to/your.jks`. If you use Windows, please run `certutil -f -encode
/path/to/your.jks`. Then copy the base64 content to below field in one line |
| security.authentication.ldap.ssl.truststore | string |
`"/opt/ldapkeystore.jks"` | LDAP jks file absolute path, do not change this
value |
| security.authentication.ldap.ssl.truststorepassword | string | `""` | LDAP
jks password |
-| security.authentication.ldap.urls | string |
`"ldap://ldap.forumsys.com:389/"` | LDAP urls |
-| security.authentication.ldap.user.admin | string | `"read-only-admin"` |
Admin user account when you log-in with LDAP |
+| security.authentication.ldap.url | string |
`"ldap://ldap.forumsys.com:389/"` | LDAP url |
+| security.authentication.ldap.user.adminuserfilter | string |
`"(&(uid={0})(memberOf=cn=admin-group,ou=apps,dc=example,dc=com))"` | Any user
matching this filter becomes an Admin. If set to `""`, ignore this option |
+| security.authentication.ldap.user.adminusername | string |
`"read-only-admin"` | Admin user account when you log-in with LDAP. If the
filter doesn't match anything this also acts as fallback. Set to `""` to ignore
this option if you want to use filter only |
| security.authentication.ldap.user.emailattribute | string | `"mail"` | LDAP
user email attribute |
| security.authentication.ldap.user.identityattribute | string | `"uid"` |
LDAP user identity attribute |
| security.authentication.ldap.user.notexistaction | string | `"CREATE"` |
action when ldap user is not exist,default value: CREATE. Optional values
include(CREATE,DENY) |
diff --git a/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl
b/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl
index ba3c8e367e..7363175a59 100644
--- a/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl
+++ b/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl
@@ -195,16 +195,18 @@ Create a security environment variables.
- name: SECURITY_AUTHENTICATION_TYPE
value: {{ .Values.security.authentication.type | quote }}
{{- if eq .Values.security.authentication.type "LDAP" }}
-- name: SECURITY_AUTHENTICATION_LDAP_URLS
- value: {{ .Values.security.authentication.ldap.urls | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_URL
+ value: {{ .Values.security.authentication.ldap.url | quote }}
- name: SECURITY_AUTHENTICATION_LDAP_BASE_DN
value: {{ .Values.security.authentication.ldap.basedn | quote }}
- name: SECURITY_AUTHENTICATION_LDAP_USERNAME
value: {{ .Values.security.authentication.ldap.username | quote }}
- name: SECURITY_AUTHENTICATION_LDAP_PASSWORD
value: {{ .Values.security.authentication.ldap.password | quote }}
-- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN
- value: {{ .Values.security.authentication.ldap.user.admin | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USERNAME
+ value: {{ .Values.security.authentication.ldap.user.adminusername | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USER_FILTER
+ value: {{ .Values.security.authentication.ldap.user.adminuserfilter | quote
}}
- name: SECURITY_AUTHENTICATION_LDAP_USER_IDENTITY_ATTRIBUTE
value: {{ .Values.security.authentication.ldap.user.identityattribute |
quote }}
- name: SECURITY_AUTHENTICATION_LDAP_USER_EMAIL_ATTRIBUTE
diff --git a/deploy/kubernetes/dolphinscheduler/values.yaml
b/deploy/kubernetes/dolphinscheduler/values.yaml
index 039760e046..3beefea212 100644
--- a/deploy/kubernetes/dolphinscheduler/values.yaml
+++ b/deploy/kubernetes/dolphinscheduler/values.yaml
@@ -221,8 +221,8 @@ security:
type: PASSWORD
# IF you set type `LDAP`, below config will be effective
ldap:
- # -- LDAP urls
- urls: ldap://ldap.forumsys.com:389/
+ # -- LDAP url
+ url: ldap://ldap.forumsys.com:389/
# -- LDAP base dn
basedn: dc=example,dc=com
# -- LDAP username
@@ -230,8 +230,10 @@ security:
# -- LDAP password
password: password
user:
- # -- Admin user account when you log-in with LDAP
- admin: read-only-admin
+ # -- Any user matching this filter becomes an Admin. If set to `""`,
ignore this option
+ adminuserfilter:
(&(uid={0})(memberOf=cn=admin-group,ou=apps,dc=example,dc=com))
+ # -- Admin user account when you log-in with LDAP. If the filter
doesn't match anything this also acts as fallback. Set to `""` to ignore this
option if you want to use filter only
+ adminusername: read-only-admin
# -- LDAP user identity attribute
identityattribute: uid
# -- LDAP user email attribute
