diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..2376657b99f0b 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,30 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + # specify ldap_use_ssl to true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` +> Important for LDAPS: +> +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -131,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -139,8 +162,11 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | + > **About Temporary Users:** > @@ -149,6 +175,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -250,7 +282,10 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ diff --git a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..ca0912f451e5d 100644 --- a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,30 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` +> Important for LDAPS: +> +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -131,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -139,8 +162,10 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | > **About Temporary Users:** > @@ -149,6 +174,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -250,7 +281,10 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..ca0912f451e5d 100644 --- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,30 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` +> Important for LDAPS: +> +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -131,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -139,8 +162,10 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | > **About Temporary Users:** > @@ -149,6 +174,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -250,7 +281,10 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ