[Improvement](LDAP Auth)Enhance LDAP authentication with a configurab…

…le group filter (apache#42038) ## Proposed changes  This PR enhances LDAP authentication by adding an optional configurable filter for retrieving user groups, primarily to support Open Directory LDAP implementations. If the configurable property is left empty, the existing workflow will remain unchanged. --------- Co-authored-by: Sivarajan Narayanan <[email protected]>
xinyiZzz · Nov 5, 2024 · e567ee0 · e567ee0
1 parent da35d3d
commit e567ee0
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/conf/ldap.conf b/conf/ldap.conf
@@ -30,6 +30,7 @@
 # ldap_user_basedn - Search base for users.
 # ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login.
 # ldap_group_basedn - Search base for groups.
+# ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))"
 ## step2: Restart fe, and use root or admin account to log in to doris.
 ## step3: Execute sql statement to set ldap admin password:
 # set ldap_admin_password = 'password';

diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -66,6 +66,12 @@ public class LdapConfig extends ConfigBase {
     @ConfigBase.ConfField
     public static String ldap_group_basedn = "";
 
+    /**
+     * Group lookup filter, the placeholder {login} will be replaced by the user supplied login.
+     */
+    @ConfigBase.ConfField
+    public static String ldap_group_filter = "";
+
     /**
      * The user LDAP information cache time.
      * After timeout, the user information will be retrieved from the LDAP service again.

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -159,9 +159,21 @@ List<String> getGroups(String userName) {
         if (userDn == null) {
             return groups;
         }
-        List<String> groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+        List<String> groupDns;
+
+        // Support Open Directory implementations
+        // If no group filter is configured, it defaults to querying groups based on the attribute 'member'
+        // for standard LDAP implementations
+        if (!LdapConfig.ldap_group_filter.isEmpty()) {
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
+                .base(LdapConfig.ldap_group_basedn)
+                .filter(getGroupFilter(LdapConfig.ldap_group_filter, userName)));
+        } else {
+            groupDns = getDn(org.springframework.ldap.query.LdapQueryBuilder.query()
                 .base(LdapConfig.ldap_group_basedn)
                 .where("member").is(userDn));
+        }
+
         if (groupDns == null) {
             return groups;
         }
@@ -209,4 +221,8 @@ protected String doMapFromContext(DirContextOperations ctx) {
     private String getUserFilter(String userFilter, String userName) {
         return userFilter.replaceAll("\\{login}", userName);
     }
+
+    private String getGroupFilter(String groupFilter, String userName) {
+        return groupFilter.replaceAll("\\{login}", userName);
+    }
 }