Re: [PR] fix ldap group filter for OpenDirectory [doris]

via GitHub Tue, 15 Jul 2025 03:28:08 -0700


zddr commented on code in PR #51379:
URL: https://github.com/apache/doris/pull/51379#discussion_r2207023860



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java:
##########
@@ -156,32 +156,50 @@ boolean checkPassword(String userName, String password) {
     List<String> getGroups(String userName) {
         List<String> groups = Lists.newArrayList();
         if (LdapConfig.ldap_group_basedn.isEmpty()) {
+            LOG.debug("Group base DN is empty");

Review Comment:
    if (LOG.isDebugEnabled()) {
                   LOG.debug(xxx);
               }



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java:
##########
@@ -156,32 +156,50 @@ boolean checkPassword(String userName, String password) {
     List<String> getGroups(String userName) {
         List<String> groups = Lists.newArrayList();
         if (LdapConfig.ldap_group_basedn.isEmpty()) {
+            LOG.debug("Group base DN is empty");
             return groups;
         }
-        String userDn = getUserDn(userName);
-        if (userDn == null) {
-            return groups;
-        }
-        List<String> groupDns;
 
-        // Support Open Directory implementations
-        // If no group filter is configured, it defaults to querying groups 
based on the attribute 'member'
-        // for standard LDAP implementations
+        List<String> groupDns;
         if (!LdapConfig.ldap_group_filter.isEmpty()) {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .filter(getGroupFilter(LdapConfig.ldap_group_filter, 
userName)));
+            // Support Open Directory implementations
+            String filter = LdapConfig.ldap_group_filter.replace("{login}", 
userName);
+            LOG.debug("Using group filter: {} with base DN: {}", filter, 
LdapConfig.ldap_group_basedn);
+
+            LdapQuery query = 
org.springframework.ldap.query.LdapQueryBuilder.query()
+                    .attributes("dn")
+                    .base(LdapConfig.ldap_group_basedn)
+                    .filter(filter);
+
+            groupDns = getDn(query);
+
+            if (groupDns == null || groupDns.isEmpty()) {
+                LOG.debug("No groups found for user: {} using filter: {}", 
userName, filter);

Review Comment:
   ditto



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java:
##########
@@ -156,32 +156,50 @@ boolean checkPassword(String userName, String password) {
     List<String> getGroups(String userName) {
         List<String> groups = Lists.newArrayList();
         if (LdapConfig.ldap_group_basedn.isEmpty()) {
+            LOG.debug("Group base DN is empty");
             return groups;
         }
-        String userDn = getUserDn(userName);
-        if (userDn == null) {
-            return groups;
-        }
-        List<String> groupDns;
 
-        // Support Open Directory implementations
-        // If no group filter is configured, it defaults to querying groups 
based on the attribute 'member'
-        // for standard LDAP implementations
+        List<String> groupDns;
         if (!LdapConfig.ldap_group_filter.isEmpty()) {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .filter(getGroupFilter(LdapConfig.ldap_group_filter, 
userName)));
+            // Support Open Directory implementations
+            String filter = LdapConfig.ldap_group_filter.replace("{login}", 
userName);
+            LOG.debug("Using group filter: {} with base DN: {}", filter, 
LdapConfig.ldap_group_basedn);
+
+            LdapQuery query = 
org.springframework.ldap.query.LdapQueryBuilder.query()
+                    .attributes("dn")

Review Comment:
   Please provide an example to illustrate the difference in returned results 
with and without this line of code



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java:
##########
@@ -156,32 +156,50 @@ boolean checkPassword(String userName, String password) {
     List<String> getGroups(String userName) {
         List<String> groups = Lists.newArrayList();
         if (LdapConfig.ldap_group_basedn.isEmpty()) {
+            LOG.debug("Group base DN is empty");
             return groups;
         }
-        String userDn = getUserDn(userName);
-        if (userDn == null) {
-            return groups;
-        }
-        List<String> groupDns;
 
-        // Support Open Directory implementations
-        // If no group filter is configured, it defaults to querying groups 
based on the attribute 'member'
-        // for standard LDAP implementations
+        List<String> groupDns;
         if (!LdapConfig.ldap_group_filter.isEmpty()) {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .filter(getGroupFilter(LdapConfig.ldap_group_filter, 
userName)));
+            // Support Open Directory implementations
+            String filter = LdapConfig.ldap_group_filter.replace("{login}", 
userName);
+            LOG.debug("Using group filter: {} with base DN: {}", filter, 
LdapConfig.ldap_group_basedn);
+
+            LdapQuery query = 
org.springframework.ldap.query.LdapQueryBuilder.query()
+                    .attributes("dn")
+                    .base(LdapConfig.ldap_group_basedn)
+                    .filter(filter);
+
+            groupDns = getDn(query);
+
+            if (groupDns == null || groupDns.isEmpty()) {
+                LOG.debug("No groups found for user: {} using filter: {}", 
userName, filter);
+                return groups;
+            }
         } else {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .where("member").is(userDn));
+            // Standard LDAP using member attribute
+            String userDn = getUserDn(userName);
+            if (userDn == null) {
+                LOG.debug("User DN not found for user: {}", userName);
+                return groups;
+            }
+            LOG.debug("Using standard LDAP member attribute with userDn: {}", 
userDn);

Review Comment:
   ditto



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java:
##########
@@ -156,32 +156,50 @@ boolean checkPassword(String userName, String password) {
     List<String> getGroups(String userName) {
         List<String> groups = Lists.newArrayList();
         if (LdapConfig.ldap_group_basedn.isEmpty()) {
+            LOG.debug("Group base DN is empty");
             return groups;
         }
-        String userDn = getUserDn(userName);
-        if (userDn == null) {
-            return groups;
-        }
-        List<String> groupDns;
 
-        // Support Open Directory implementations
-        // If no group filter is configured, it defaults to querying groups 
based on the attribute 'member'
-        // for standard LDAP implementations
+        List<String> groupDns;
         if (!LdapConfig.ldap_group_filter.isEmpty()) {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .filter(getGroupFilter(LdapConfig.ldap_group_filter, 
userName)));
+            // Support Open Directory implementations
+            String filter = LdapConfig.ldap_group_filter.replace("{login}", 
userName);
+            LOG.debug("Using group filter: {} with base DN: {}", filter, 
LdapConfig.ldap_group_basedn);
+
+            LdapQuery query = 
org.springframework.ldap.query.LdapQueryBuilder.query()
+                    .attributes("dn")
+                    .base(LdapConfig.ldap_group_basedn)
+                    .filter(filter);
+
+            groupDns = getDn(query);
+
+            if (groupDns == null || groupDns.isEmpty()) {
+                LOG.debug("No groups found for user: {} using filter: {}", 
userName, filter);
+                return groups;
+            }
         } else {
-            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
-                .base(LdapConfig.ldap_group_basedn)
-                .where("member").is(userDn));
+            // Standard LDAP using member attribute
+            String userDn = getUserDn(userName);
+            if (userDn == null) {
+                LOG.debug("User DN not found for user: {}", userName);

Review Comment:
   ditto



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] fix ldap group filter for OpenDirectory [doris]

Reply via email to