github-actions[bot] commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3084579355
##########
fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java:
##########
@@ -204,4 +204,10 @@ public class LdapConfig extends ConfigBase {
public static String getConnectionURL(String hostPortInAccessibleFormat) {
return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" +
hostPortInAccessibleFormat);
}
+
+ /**
+ * Flag to enable login with empty pass.
+ */
+ @ConfigBase.ConfField(mutable = true)
+ public static boolean ldap_allow_empty_pass = true;
Review Comment:
This new public config is only wired into the legacy FE-core LDAP code paths
(`Auth.checkPlainPassword()` and `LdapAuthenticator.internalAuthenticate()`).
The repository also has the newer LDAP integration/plugin path under
`fe-authentication/.../LdapAuthenticationPlugin.java`, and that implementation
still rejects empty passwords unconditionally. As a result,
`ldap_allow_empty_pass=true/false` does not define a single LDAP behavior
across supported auth paths, even though the PR description and release note
describe it as a general LDAP knob. Please either apply the same rule there as
well, or scope/document the setting as legacy-only and add coverage for that
distinction.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
