This is an automated email from the ASF dual-hosted git repository.
dataroaring pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new a50a51e6f93 branch-3.0: fix ldap group filter for OpenDirectory #51379
(#55399)
a50a51e6f93 is described below
commit a50a51e6f9330b9f36456137cc2c4061ad79a3f3
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri Sep 5 09:47:16 2025 +0800
branch-3.0: fix ldap group filter for OpenDirectory #51379 (#55399)
Cherry-picked from #51379
Co-authored-by: nsivarajan <117266407+nsivara...@users.noreply.github.com>
---
.../doris/mysql/authenticate/ldap/LdapClient.java | 33 ++++++++++------------
1 file changed, 15 insertions(+), 18 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index 3ae96945296..1186469a1ec 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -112,7 +112,7 @@ public class LdapClient {
private void init() {
LdapInfo ldapInfo = Env.getCurrentEnv().getAuth().getLdapInfo();
if (ldapInfo == null || !ldapInfo.isValid()) {
- LOG.error("info is null, maybe no ldap admin password is set.");
+ LOG.error("LDAP info is null or invalid, LDAP admin password may
not be set");
ErrorReport.report(ErrorCode.ERROR_LDAP_CONFIGURATION_ERR);
throw new RuntimeException("ldapTemplate is not initialized");
}
@@ -163,18 +163,18 @@ public class LdapClient {
return groups;
}
List<String> groupDns;
-
- // Support Open Directory implementations
- // If no group filter is configured, it defaults to querying groups
based on the attribute 'member'
- // for standard LDAP implementations
if (!LdapConfig.ldap_group_filter.isEmpty()) {
+ // Support Open Directory implementations
+ String filter = LdapConfig.ldap_group_filter.replace("{login}",
userName);
groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
- .base(LdapConfig.ldap_group_basedn)
- .filter(getGroupFilter(LdapConfig.ldap_group_filter,
userName)));
+ .attributes("dn")
+ .base(LdapConfig.ldap_group_basedn)
+ .filter(filter));
} else {
+ // Standard LDAP using member attribute
groupDns =
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
- .base(LdapConfig.ldap_group_basedn)
- .where("member").is(userDn));
+ .base(LdapConfig.ldap_group_basedn)
+ .where("member").is(userDn));
}
if (groupDns == null) {
@@ -209,11 +209,12 @@ public class LdapClient {
private List<String> getDn(LdapQuery query) {
init();
try {
- return clientInfo.getLdapTemplatePool().search(query, new
AbstractContextMapper<String>() {
- protected String doMapFromContext(DirContextOperations ctx) {
- return ctx.getNameInNamespace();
- }
- });
+ return clientInfo.getLdapTemplatePool().search(query,
+ new AbstractContextMapper<String>() {
+ protected String doMapFromContext(DirContextOperations
ctx) {
+ return ctx.getNameInNamespace();
+ }
+ });
} catch (Exception e) {
LOG.error("Get user dn fail.", e);
ErrorReport.report(ErrorCode.ERROR_LDAP_CONFIGURATION_ERR);
@@ -224,8 +225,4 @@ public class LdapClient {
private String getUserFilter(String userFilter, String userName) {
return userFilter.replaceAll("\\{login}", userName);
}
-
- private String getGroupFilter(String groupFilter, String userName) {
- return groupFilter.replaceAll("\\{login}", userName);
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
