iaorekhov-1980 opened a new issue, #60353: URL: https://github.com/apache/doris/issues/60353
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues. ### Description In current configuration there is no explicit check, when user provided empty password for LDAP. Because of this when user exists in LDAP, but password was not provided, then login attempt succeeded due to logic of LDAP protocol. Unfortunately such behavior is not recommended for secured environment. So to prevent such situation I'll introduce the change, which will support existing behavior, but will allow to disable login with empty password if needed. ### Solution There was similar issue which was abandoned by its author by some reason - https://github.com/apache/doris/pull/54099/files. So I would like to introduce similar logic with minor improvements. The proposed solution is to introduce into configuration new non-mandatory property **ldap_allow_empty_pass** with default value **true**. The default value or explicitly specified **true** will support existing behavior and existing user will be able to login into LDAP with empty password. But if **false** will be specified - the extra check for empty password will be introduced and attempt to login with empty password will be denied. Also new error code to explicitly identify such situation will be introduced. ### Are you willing to submit PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
