iaorekhov-1980 commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3086066251
##########
fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java:
##########
@@ -204,4 +204,10 @@ public class LdapConfig extends ConfigBase {
public static String getConnectionURL(String hostPortInAccessibleFormat) {
return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" +
hostPortInAccessibleFormat);
}
+
+ /**
+ * Flag to enable login with empty pass.
+ */
+ @ConfigBase.ConfField(mutable = true)
+ public static boolean ldap_allow_empty_pass = true;
Review Comment:
hello!
I've added the note in PR description and release note that this property is
applicable only for legacy behavior.
The new plugin based behavior is excellent and obviously covers this
security requirement.
So I've added tests in the LdapAuthenticationPluginIntegrationTest to verify
that empty password will be rejected in any case - with and without
ldap_allow_empty_pass enabled.
Just for explanation - the code is duplicated in two legacy places for
proper testing to verify that this change doesn't interfere with main password
verification flow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
