iaorekhov-1980 commented on code in PR #61440:
URL: https://github.com/apache/doris/pull/61440#discussion_r3578077301


##########
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java:
##########
@@ -106,6 +107,14 @@ private AuthenticateResponse internalAuthenticate(String 
password, String qualif
             LOG.debug("user:{}", userName);
         }
 
+        //not allow to login in case when empty password is specified but such 
mode is disabled by configuration
+        if (Strings.isNullOrEmpty(password) && 
!LdapConfig.ldap_allow_empty_pass) {
+            LOG.info("User:{} login rejected: empty LDAP password is 
prohibited (ldap_allow_empty_pass=false)",
+                    userName);
+            ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser + 
"@" + remoteIp);
+            return AuthenticateResponse.failedResponse;
+        }

Review Comment:
   Hello, @CalvinKirs 
   You were right in your assumptions.
   It's better to move the check into the common place, not to split between 
modules.
   So I've introduced this check for empty LDAP password into 
LdapManager.checkUserPasswd as you have suggested.
   But for backward compatibility and regression testing - I've placed it into 
separate method invoked from existing LdapManager.checkUserPasswd.
   Also I've kept specific error messages for cases with empty LDAP password.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to