iaorekhov-1980 opened a new pull request, #60372:
URL: https://github.com/apache/doris/pull/60372
### What problem does this PR solve?
This PR adds new configuration property **ldap_allow_empty_pass** to
prohibit option for existing user to login into LDAP with empty password.
If **ldap_allow_empty_pass** in ldap.conf is not specified or specified as
**true** - user can login with empty pass (existing behavior).
If **ldap_allow_empty_pass** specified as **false** - login attempt with
empty password will be rejected with corresponding error message.
**Could you please include this PR into 4.x and 3.1.x branches, please!**
Issue Number: close #60353
Related PR: #xxx
Problem Summary:
Currently for existing user it is possible to login into LDAP with empty
password.
New configuration property disables such option, but default behavior still
allows to login without specified password.
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [x] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [x] Yes. <!-- Explain the behavior change -->
1. ldap.conf and LdapConfig.java - new configuration
**ldap_allow_empty_pass** property with default value **true** to keep existing
behavior as default
2. ErrorCode.java - specific error message for case with empty password was
added
3. LdapAuthenticator.java and Auth.java - additional check was added to
validate two conditions
3.1 user has specified empty password
3.2 property **ldap_allow_empty_pass** is **false** and doesn't allow to
login with empty password
If both conditions met - authentication is failed and new error is returned.
4. LdapAuthenticatorTest.java - introduced new test method to validate
existing behavior (without specified **ldap_allow_empty_pass** property or
true) and new one (with **ldap_use_ssl** property specified to false) to check
that login is still successful in first case and failed in the second one.
- Does this need documentation?
- [x] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
