From 3a18e57e99c76953af26f7661b6ebd1f51411a44 Mon Sep 17 00:00:00 2001 From: nsivarajan <117266407+nsivarajan@users.noreply.github.com> Date: Tue, 5 Nov 2024 21:44:56 +0530 Subject: [PATCH] [Improvement](LDAP Auth)Enhance LDAP authentication with a configurable group filter (#42038) ## Proposed changes This PR enhances LDAP authentication by adding an optional configurable filter for retrieving user groups, primarily to support Open Directory LDAP implementations. If the configurable property is left empty, the existing workflow will remain unchanged. --------- Co-authored-by: Sivarajan Narayanan --- conf/ldap.conf | 1 + .../org/apache/doris/common/LdapConfig.java | 6 ++++++ .../mysql/authenticate/ldap/LdapClient.java | 18 +++++++++++++++++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index f783c53ea96da9..b501a729d7e8cc 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -30,6 +30,7 @@ # ldap_user_basedn - Search base for users. # ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login. # ldap_group_basedn - Search base for groups. +# ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))" ## step2: Restart fe, and use root or admin account to log in to doris. ## step3: Execute sql statement to set ldap admin password: # set ldap_admin_password = 'password'; diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index a6fb10f261d597..f174a4ef663683 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase { @ConfigBase.ConfField public static String ldap_group_basedn = ""; + /** + * Group lookup filter, the placeholder {login} will be replaced by the user supplied login. + */ + @ConfigBase.ConfField + public static String ldap_group_filter = ""; + /** * The user LDAP information cache time. * After timeout, the user information will be retrieved from the LDAP service again. diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index bbb8bf4d378879..8d1304658ff2a0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -159,9 +159,21 @@ List getGroups(String userName) { if (userDn == null) { return groups; } - List groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query() + List groupDns; + + // Support Open Directory implementations + // If no group filter is configured, it defaults to querying groups based on the attribute 'member' + // for standard LDAP implementations + if (!LdapConfig.ldap_group_filter.isEmpty()) { + groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query() + .base(LdapConfig.ldap_group_basedn) + .filter(getGroupFilter(LdapConfig.ldap_group_filter, userName))); + } else { + groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query() .base(LdapConfig.ldap_group_basedn) .where("member").is(userDn)); + } + if (groupDns == null) { return groups; } @@ -209,4 +221,8 @@ protected String doMapFromContext(DirContextOperations ctx) { private String getUserFilter(String userFilter, String userName) { return userFilter.replaceAll("\\{login}", userName); } + + private String getGroupFilter(String groupFilter, String userName) { + return groupFilter.replaceAll("\\{login}", userName); + } }