CalvinKirs commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3456882809
##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java:
##########
@@ -106,6 +107,14 @@ private AuthenticateResponse internalAuthenticate(String
password, String qualif
LOG.debug("user:{}", userName);
}
+ //not allow to login in case when empty password is specified but such
mode is disabled by configuration
+ if (Strings.isNullOrEmpty(password) &&
!LdapConfig.ldap_allow_empty_pass) {
+ LOG.info("User:{} login rejected: empty LDAP password is
prohibited (ldap_allow_empty_pass=false)",
+ userName);
+ ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser +
"@" + remoteIp);
+ return AuthenticateResponse.failedResponse;
+ }
Review Comment:
Rather than duplicating, consider sinking the empty-password check into the
single LDAP chokepoint LdapManager.checkUserPasswd. Keep it LDAP-scoped, not at
the global auth entry
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
