From 384c7aee90075a63e174eab455c114f5e2f36785 Mon Sep 17 00:00:00 2001 From: gengjun-git Date: Tue, 12 Mar 2024 11:23:03 +0800 Subject: [PATCH] [BugFix] Fix LDAP authentication bug where empty password can successfully login on AD server (#41982) Signed-off-by: gengjun-git (cherry picked from commit e8c13134adb9e6919b7c41ae1741435f659aabd4) --- .../com/starrocks/mysql/security/LdapSecurity.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java b/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java index 4eba45a8c0b36..b78f59c49fa8d 100644 --- a/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java +++ b/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java @@ -2,6 +2,7 @@ package com.starrocks.mysql.security; +import com.google.common.base.Strings; import com.starrocks.common.Config; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -19,6 +20,11 @@ public class LdapSecurity { //bind to ldap server to check password public static boolean checkPassword(String dn, String password) { + if (Strings.isNullOrEmpty(password)) { + LOG.warn("empty password is not allowed for simple authentication"); + return false; + } + String url = "ldap://" + Config.authentication_ldap_simple_server_host + ":" + Config.authentication_ldap_simple_server_port; Hashtable env = new Hashtable<>(); @@ -51,6 +57,11 @@ public static boolean checkPassword(String dn, String password) { //2. search user //3. if match exactly one, check password public static boolean checkPasswordByRoot(String user, String password) { + if (Strings.isNullOrEmpty(Config.authentication_ldap_simple_bind_root_pwd)) { + LOG.warn("empty password is not allowed for simple authentication"); + return false; + } + String url = "ldap://" + Config.authentication_ldap_simple_server_host + ":" + Config.authentication_ldap_simple_server_port; Hashtable env = new Hashtable<>();