Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

branch-3.0: [Improvement](LDAP Auth)Enhance LDAP authentication with a configurable group filter #43292

Merged
merged 1 commit into from
Nov 7, 2024
+24 −1
Merged

branch-3.0: [Improvement](LDAP Auth)Enhance LDAP authentication with a configurable group filter #43292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions conf/ldap.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
# ldap_user_basedn - Search base for users.
# ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login.
# ldap_group_basedn - Search base for groups.
# ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))"
## step2: Restart fe, and use root or admin account to log in to doris.
## step3: Execute sql statement to set ldap admin password:
# set ldap_admin_password = 'password';
Expand Down
6 changes: 6 additions & 0 deletions fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
@ConfigBase.ConfField
public static String ldap_group_basedn = "";

/**
* Group lookup filter, the placeholder {login} will be replaced by the user supplied login.
*/
@ConfigBase.ConfField
public static String ldap_group_filter = "";

/**
* The user LDAP information cache time.
* After timeout, the user information will be retrieved from the LDAP service again.
Expand Down
18 changes: 17 additions & 1 deletion fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,21 @@ List<String> getGroups(String userName) {
if (userDn == null) {
return groups;
}
List<String> groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
List<String> groupDns;

// Support Open Directory implementations
// If no group filter is configured, it defaults to querying groups based on the attribute 'member'
// for standard LDAP implementations
if (!LdapConfig.ldap_group_filter.isEmpty()) {
groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
.base(LdapConfig.ldap_group_basedn)
.filter(getGroupFilter(LdapConfig.ldap_group_filter, userName)));
} else {
groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
.base(LdapConfig.ldap_group_basedn)
.where("member").is(userDn));
}

if (groupDns == null) {
return groups;
}
Expand Down Expand Up @@ -209,4 +221,8 @@ protected String doMapFromContext(DirContextOperations ctx) {
private String getUserFilter(String userFilter, String userName) {
return userFilter.replaceAll("\\{login}", userName);
}

private String getGroupFilter(String groupFilter, String userName) {
return groupFilter.replaceAll("\\{login}", userName);
}
}
Loading