iaorekhov-1980 commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3458223052
##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java:
##########
@@ -106,6 +107,14 @@ private AuthenticateResponse internalAuthenticate(String
password, String qualif
LOG.debug("user:{}", userName);
}
+ //not allow to login in case when empty password is specified but such
mode is disabled by configuration
+ if (Strings.isNullOrEmpty(password) &&
!LdapConfig.ldap_allow_empty_pass) {
+ LOG.info("User:{} login rejected: empty LDAP password is
prohibited (ldap_allow_empty_pass=false)",
+ userName);
+ ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser +
"@" + remoteIp);
+ return AuthenticateResponse.failedResponse;
+ }
Review Comment:
Hello, @CalvinKirs
I've also thought about place logic to disable login with empty LDAP
password into **LdapManager.checkUserPasswd**
But finally decided to split it between **LdapAuthenticator** and **Auth**
to keep existing **checkUserPasswd** unaffected and avoid any regression risk
and simplify separate testing of existing and updated behavior.
So as code owner, could you please confirm - what I can introduce my logic
into core **checkUserPasswd** functionality?
In general - I would like to minimize risk to introduce any regression or
backward compatibility issues for existing Doris user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
