This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new e567ee0c1c9 [Improvement](LDAP Auth)Enhance LDAP authentication with a
configurable group filter (#42038)
e567ee0c1c9 is described below
commit e567ee0c1c9ce10d4928ce7933e941ebc866bc6b
Author: nsivarajan <[email protected]>
AuthorDate: Tue Nov 5 21:44:56 2024 +0530
[Improvement](LDAP Auth)Enhance LDAP authentication with a configurable
group filter (#42038)
## Proposed changes
<!--Describe your changes.-->
This PR enhances LDAP authentication by adding an optional configurable
filter for retrieving user groups, primarily to support Open Directory
LDAP implementations. If the configurable property is left empty, the
existing workflow will remain unchanged.
---------
Co-authored-by: Sivarajan Narayanan <[email protected]>
---
conf/ldap.conf | 1 +
.../main/java/org/apache/doris/common/LdapConfig.java | 6 ++++++
.../doris/mysql/authenticate/ldap/LdapClient.java | 18 +++++++++++++++++-
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/conf/ldap.conf b/conf/ldap.conf
index f783c53ea96..b501a729d7e 100644
--- a/conf/ldap.conf
+++ b/conf/ldap.conf
@@ -30,6 +30,7 @@
# ldap_user_basedn - Search base for users.
# ldap_user_filter - User lookup filter, the placeholder {login} will be
replaced by the user supplied login.
# ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be
replaced by the user supplied login. example : "(&(memberUid={login}))"
## step2: Restart fe, and use root or admin account to log in to doris.
## step3: Execute sql statement to set ldap admin password:
# set ldap_admin_password = 'password';
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
index a6fb10f261d..f174a4ef663 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
@ConfigBase.ConfField
public static String ldap_group_basedn = "";
+ /**
+ * Group lookup filter, the placeholder {login} will be replaced by the
user supplied login.
+ */
+ @ConfigBase.ConfField
+ public static String ldap_group_filter = "";
+
/**
* The user LDAP information cache time.
* After timeout, the user information will be retrieved from the LDAP
service again.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index bbb8bf4d378..8d1304658ff 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,21 @@ public class LdapClient {
if (userDn == null) {
return groups;
}
- List<String> groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+ List<String> groupDns;
+
+ // Support Open Directory implementations
+ // If no group filter is configured, it defaults to querying groups
based on the attribute 'member'
+ // for standard LDAP implementations
+ if (!LdapConfig.ldap_group_filter.isEmpty()) {
+ groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+ .base(LdapConfig.ldap_group_basedn)
+ .filter(getGroupFilter(LdapConfig.ldap_group_filter,
userName)));
+ } else {
+ groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
.base(LdapConfig.ldap_group_basedn)
.where("member").is(userDn));
+ }
+
if (groupDns == null) {
return groups;
}
@@ -209,4 +221,8 @@ public class LdapClient {
private String getUserFilter(String userFilter, String userName) {
return userFilter.replaceAll("\\{login}", userName);
}
+
+ private String getGroupFilter(String groupFilter, String userName) {
+ return groupFilter.replaceAll("\\{login}", userName);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
