branch-3.0: [Improvement](LDAP Auth)Enhance LDAP authentication with …

…a configurable group filter (#43292) Cherry-picked from #42038 Co-authored-by: nsivarajan <117266407+nsivarajan@users.noreply.github.com> Co-authored-by: Sivarajan Narayanan <narayanan_sivarajan@apple.com>
apache · Nov 7, 2024 · e682fa2 · e682fa2
1 parent 0e2f475
commit e682fa2
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/conf/ldap.conf b/conf/ldap.conf
@@ -30,6 +30,7 @@
 # ldap_user_basedn - Search base for users.
 # ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login.
 # ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))"
 ## step2: Restart fe, and use root or admin account to log in to doris.
 ## step3: Execute sql statement to set ldap admin password:
 # set ldap_admin_password = 'password';

diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
     @ConfigBase.ConfField
     public static String ldap_group_basedn = "";
 
+    /**
+     * Group lookup filter, the placeholder {login} will be replaced by the user supplied login.
+     */
+    @ConfigBase.ConfField
+    public static String ldap_group_filter = "";
+
     /**
      * The user LDAP information cache time.
      * After timeout, the user information will be retrieved from the LDAP service again.

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,21 @@ List<String> getGroups(String userName) {
         if (userDn == null) {
             return groups;
         }
-        List<String> groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+        List<String> groupDns;
+
+        // Support Open Directory implementations
+        // If no group filter is configured, it defaults to querying groups based on the attribute 'member'
+        // for standard LDAP implementations
+        if (!LdapConfig.ldap_group_filter.isEmpty()) {
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+                .base(LdapConfig.ldap_group_basedn)
+                .filter(getGroupFilter(LdapConfig.ldap_group_filter, userName)));
+        } else {
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .where("member").is(userDn));
+        }
+
         if (groupDns == null) {
             return groups;
         }
@@ -209,4 +221,8 @@ protected String doMapFromContext(DirContextOperations ctx) {
     private String getUserFilter(String userFilter, String userName) {
         return userFilter.replaceAll("\\{login}", userName);
     }
+
+    private String getGroupFilter(String groupFilter, String userName) {
+        return groupFilter.replaceAll("\\{login}", userName);
+    }
 }