(doris) branch branch-2.1 updated: branch-2.1: [Improvement](LDAP Auth)Enhance LDAP authentication with a configurable group filter (#43293)

Sat, 09 Nov 2024 18:06:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 80fd76677ed branch-2.1: [Improvement](LDAP Auth)Enhance LDAP 
authentication with a configurable group filter (#43293)
80fd76677ed is described below

commit 80fd76677ed72390a093ccb742921bca4a7ee317
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Sun Nov 10 10:06:13 2024 +0800

    branch-2.1: [Improvement](LDAP Auth)Enhance LDAP authentication with a 
configurable group filter (#43293)
    
    Cherry-picked from #42038
    
    Co-authored-by: nsivarajan <117266407+nsivara...@users.noreply.github.com>
    Co-authored-by: Sivarajan Narayanan <narayanan_sivara...@apple.com>
---
 conf/ldap.conf                                         |  1 +
 .../main/java/org/apache/doris/common/LdapConfig.java  |  6 ++++++
 .../doris/mysql/authenticate/ldap/LdapClient.java      | 18 +++++++++++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/conf/ldap.conf b/conf/ldap.conf
index f783c53ea96..b501a729d7e 100644
--- a/conf/ldap.conf
+++ b/conf/ldap.conf
@@ -30,6 +30,7 @@
 # ldap_user_basedn - Search base for users.
 # ldap_user_filter - User lookup filter, the placeholder {login} will be 
replaced by the user supplied login.
 # ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be 
replaced by the user supplied login. example : "(&(memberUid={login}))"
 ## step2: Restart fe, and use root or admin account to log in to doris.
 ## step3: Execute sql statement to set ldap admin password:
 # set ldap_admin_password = 'password';
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java 
b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
index a6fb10f261d..f174a4ef663 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
     @ConfigBase.ConfField
     public static String ldap_group_basedn = "";
 
+    /**
+     * Group lookup filter, the placeholder {login} will be replaced by the 
user supplied login.
+     */
+    @ConfigBase.ConfField
+    public static String ldap_group_filter = "";
+
     /**
      * The user LDAP information cache time.
      * After timeout, the user information will be retrieved from the LDAP 
service again.
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index bbb8bf4d378..8d1304658ff 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,21 @@ public class LdapClient {
         if (userDn == null) {
             return groups;
         }
-        List<String> groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+        List<String> groupDns;
+
+        // Support Open Directory implementations
+        // If no group filter is configured, it defaults to querying groups 
based on the attribute 'member'
+        // for standard LDAP implementations
+        if (!LdapConfig.ldap_group_filter.isEmpty()) {
+            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+                .base(LdapConfig.ldap_group_basedn)
+                .filter(getGroupFilter(LdapConfig.ldap_group_filter, 
userName)));
+        } else {
+            groupDns = 
getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .where("member").is(userDn));
+        }
+
         if (groupDns == null) {
             return groups;
         }
@@ -209,4 +221,8 @@ public class LdapClient {
     private String getUserFilter(String userFilter, String userName) {
         return userFilter.replaceAll("\\{login}", userName);
     }
+
+    private String getGroupFilter(String groupFilter, String userName) {
+        return groupFilter.replaceAll("\\{login}", userName);
+    }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to