This is an automated email from the ASF dual-hosted git repository.
dataroaring pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new e682fa2fed6 branch-3.0: [Improvement](LDAP Auth)Enhance LDAP
authentication with a configurable group filter (#43292)
e682fa2fed6 is described below
commit e682fa2fed6f1089ce3a49c017cb103de8fdfa09
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Nov 7 11:52:10 2024 +0800
branch-3.0: [Improvement](LDAP Auth)Enhance LDAP authentication with a
configurable group filter (#43292)
Cherry-picked from #42038
Co-authored-by: nsivarajan <[email protected]>
Co-authored-by: Sivarajan Narayanan <[email protected]>
---
conf/ldap.conf | 1 +
.../main/java/org/apache/doris/common/LdapConfig.java | 6 ++++++
.../doris/mysql/authenticate/ldap/LdapClient.java | 18 +++++++++++++++++-
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/conf/ldap.conf b/conf/ldap.conf
index f783c53ea96..b501a729d7e 100644
--- a/conf/ldap.conf
+++ b/conf/ldap.conf
@@ -30,6 +30,7 @@
# ldap_user_basedn - Search base for users.
# ldap_user_filter - User lookup filter, the placeholder {login} will be
replaced by the user supplied login.
# ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be
replaced by the user supplied login. example : "(&(memberUid={login}))"
## step2: Restart fe, and use root or admin account to log in to doris.
## step3: Execute sql statement to set ldap admin password:
# set ldap_admin_password = 'password';
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
index a6fb10f261d..f174a4ef663 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
@ConfigBase.ConfField
public static String ldap_group_basedn = "";
+ /**
+ * Group lookup filter, the placeholder {login} will be replaced by the
user supplied login.
+ */
+ @ConfigBase.ConfField
+ public static String ldap_group_filter = "";
+
/**
* The user LDAP information cache time.
* After timeout, the user information will be retrieved from the LDAP
service again.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index bbb8bf4d378..8d1304658ff 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,21 @@ public class LdapClient {
if (userDn == null) {
return groups;
}
- List<String> groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+ List<String> groupDns;
+
+ // Support Open Directory implementations
+ // If no group filter is configured, it defaults to querying groups
based on the attribute 'member'
+ // for standard LDAP implementations
+ if (!LdapConfig.ldap_group_filter.isEmpty()) {
+ groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+ .base(LdapConfig.ldap_group_basedn)
+ .filter(getGroupFilter(LdapConfig.ldap_group_filter,
userName)));
+ } else {
+ groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
.base(LdapConfig.ldap_group_basedn)
.where("member").is(userDn));
+ }
+
if (groupDns == null) {
return groups;
}
@@ -209,4 +221,8 @@ public class LdapClient {
private String getUserFilter(String userFilter, String userName) {
return userFilter.replaceAll("\\{login}", userName);
}
+
+ private String getGroupFilter(String groupFilter, String userName) {
+ return groupFilter.replaceAll("\\{login}", userName);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
