iaorekhov-1980 commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3578077301
##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java:
##########
@@ -106,6 +107,14 @@ private AuthenticateResponse internalAuthenticate(String
password, String qualif
LOG.debug("user:{}", userName);
}
+ //not allow to login in case when empty password is specified but such
mode is disabled by configuration
+ if (Strings.isNullOrEmpty(password) &&
!LdapConfig.ldap_allow_empty_pass) {
+ LOG.info("User:{} login rejected: empty LDAP password is
prohibited (ldap_allow_empty_pass=false)",
+ userName);
+ ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser +
"@" + remoteIp);
+ return AuthenticateResponse.failedResponse;
+ }
Review Comment:
Hello, @CalvinKirs
You were right in your assumptions.
It's better to move the check into the common place, not to split between
modules.
So I've introduced this check for empty LDAP password into
LdapManager.checkUserPasswd as you have suggested.
But for backward compatibility and regression testing - I've placed it into
separate method invoked from existing LdapManager.checkUserPasswd.
Also I've kept specific error messages for cases with empty LDAP password.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]