From 006af565601368f054eb783b3bcaf98b46f6829b Mon Sep 17 00:00:00 2001
From: Sivarajan Narayanan <narayanan_sivarajan@apple.com>
Date: Thu, 17 Oct 2024 15:01:48 +0530
Subject: [PATCH 1/2] Enhance LDAP authentication with a configurable group
 filter

---
 conf/ldap.conf                                  |  1 +
 .../org/apache/doris/common/LdapConfig.java     |  6 ++++++
 .../mysql/authenticate/ldap/LdapClient.java     | 17 ++++++++++++++++-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/conf/ldap.conf b/conf/ldap.conf
index f783c53ea96da9..b501a729d7e8cc 100644
--- a/conf/ldap.conf
+++ b/conf/ldap.conf
@@ -30,6 +30,7 @@
 # ldap_user_basedn - Search base for users.
 # ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login.
 # ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))"
 ## step2: Restart fe, and use root or admin account to log in to doris.
 ## step3: Execute sql statement to set ldap admin password:
 # set ldap_admin_password = 'password';
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
index a6fb10f261d597..f174a4ef663683 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
     @ConfigBase.ConfField
     public static String ldap_group_basedn = "";
 
+    /**
+     * Group lookup filter, the placeholder {login} will be replaced by the user supplied login.
+     */
+    @ConfigBase.ConfField
+    public static String ldap_group_filter = "";
+
     /**
      * The user LDAP information cache time.
      * After timeout, the user information will be retrieved from the LDAP service again.
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index bbb8bf4d378879..cf14849b1addb7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,20 @@ List<String> getGroups(String userName) {
         if (userDn == null) {
             return groups;
         }
-        List<String> groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+        List<String> groupDns;
+
+        // Support Open Directory implementations
+        // If no group filter is configured, it defaults to querying groups based on the attribute 'member' for standard LDAP implementations
+        if (!LdapConfig.ldap_group_filter.isEmpty()) {
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+                .base(LdapConfig.ldap_group_basedn)
+                .filter(getGroupFilter(LdapConfig.ldap_group_filter, userName)));
+        }else{
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .where("member").is(userDn));
+        }
+
         if (groupDns == null) {
             return groups;
         }
@@ -209,4 +220,8 @@ protected String doMapFromContext(DirContextOperations ctx) {
     private String getUserFilter(String userFilter, String userName) {
         return userFilter.replaceAll("\\{login}", userName);
     }
+
+    private String getGroupFilter(String groupFilter, String userName) {
+        return groupFilter.replaceAll("\\{login}", userName);
+    }
 }

From af3989b19a2838ebb304dc44235c9ebc15633bc2 Mon Sep 17 00:00:00 2001
From: Sivarajan Narayanan <narayanan_sivarajan@apple.com>
Date: Fri, 18 Oct 2024 11:57:35 +0530
Subject: [PATCH 2/2] Handle compile failure with beautification

---
 .../org/apache/doris/mysql/authenticate/ldap/LdapClient.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index cf14849b1addb7..8d1304658ff2a0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -162,12 +162,13 @@ List<String> getGroups(String userName) {
         List<String> groupDns;
 
         // Support Open Directory implementations
-        // If no group filter is configured, it defaults to querying groups based on the attribute 'member' for standard LDAP implementations
+        // If no group filter is configured, it defaults to querying groups based on the attribute 'member'
+        // for standard LDAP implementations
         if (!LdapConfig.ldap_group_filter.isEmpty()) {
             groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .filter(getGroupFilter(LdapConfig.ldap_group_filter, userName)));
-        }else{
+        } else {
             groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .where("member").is(userDn));