[PR] [enhance](auth)Add a configuration to prohibit accessing LDAP with an empty password [doris]

Wed, 30 Jul 2025 02:44:44 -0700 


zddr opened a new pull request, #54099:
URL: https://github.com/apache/doris/pull/54099

   ### What problem does this PR solve?
   
   When LDAP is enabled with null bind, an empty password will automatically 
convert to an anonymous user login. This scenario is judged as a correct 
password, and since the username used actually exists, the corresponding user 
can also be correctly found through the LDAP account. As a result, it becomes 
possible to log in to any LDAP account with an empty password.
   
   resolve:
   
   add ldap config: ldap_allow_empty_password,default is true,
   
   when set it to false,use empty password login will failed
   
   ```
   mysql -h127.0.0.1 -P 3030 -u zd -p --enable-cleartext-plugin
   Enter password: 
   ERROR 6001 (42000): not allow empty password.
   ```
   
   Issue Number: close #xxx
   
   Related PR: #xxx
   
   Problem Summary:
   Add a configuration to prohibit accessing LDAP with an empty password
   ### Release note
   
   Add a configuration to prohibit accessing LDAP with an empty password
   
   ### Check List (For Author)
   
   - Test <!-- At least one of them must be included. -->
       - [ ] Regression test
       - [ ] Unit Test
       - [ ] Manual test (add detailed scripts or steps below)
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason <!-- Add your reason?  -->
   
   - Behavior changed:
       - [ ] No.
       - [ ] Yes. <!-- Explain the behavior change -->
   
   - Does this need documentation?
       - [ ] No.
       - [ ] Yes. <!-- Add document PR link here. eg: 
https://github.com/apache/doris-website/pull/1214 -->
   
   ### Check List (For Reviewer who merge this PR)
   
   - [ ] Confirm the release note
   - [ ] Confirm test cases
   - [ ] Confirm document
   - [ ] Add branch pick label <!-- Add branch pick label that this PR should 
merge into -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to