CalvinKirs commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3456866337
##########
fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java:
##########
@@ -210,4 +210,10 @@ public class LdapConfig extends ConfigBase {
public static String getConnectionURL(String hostPortInAccessibleFormat) {
return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" +
hostPortInAccessibleFormat);
}
+
+ /**
+ * Flag to enable login with empty pass.
+ */
+ @ConfigBase.ConfField
+ public static boolean ldap_allow_empty_pass = true;
Review Comment:
Default should be false. Defaulting to true keeps the vulnerable behavior —
insecure by default for a security fix. Both Spring Security and Doris reject
empty passwords unconditionally. Suggest defaulting false with true as explicit
opt-in; if it stays true, please flag the risk loudly in ldap.conf.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
