From 9056f3da3ff4175f80c5388832b515ad8783ffaa Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 9 Feb 2026 12:23:02 +0300 Subject: [PATCH 1/8] fix: 1st version of ldaps docs --- .../admin-manual/auth/authentication/ldap.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..15c83ae59d8de 100644 --- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,22 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + ldap_port = 389 # change it if ldap_use_ssl specified to true as different port (636) is used for LDAPS ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + ldap_use_ssl = true # specify true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ``` +> Important for LDAPS: +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -250,7 +259,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. ## FAQ From f7d9dabb27050dd58be60893af7d969f61f48904 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 9 Feb 2026 12:30:10 +0300 Subject: [PATCH 2/8] fix: improved version of ldaps docs --- .../admin-manual/auth/authentication/ldap.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md index 15c83ae59d8de..06692107ceb1a 100644 --- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md @@ -49,17 +49,23 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 # change it if ldap_use_ssl specified to true as different port (636) is used for LDAPS + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr - ldap_use_ssl = true # specify true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + # specify ldap_use_ssl to true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true ``` > Important for LDAPS: +> > When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. -> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): > ``` > # Example for JDK 17 > JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." From 00bfdc0de92531437736c314c42098d963b30525 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 9 Feb 2026 12:39:17 +0300 Subject: [PATCH 3/8] fix: final version of DORIS documentation --- docs/admin-manual/auth/authentication/ldap.md | 21 +++++++++++++++++-- .../admin-manual/auth/authentication/ldap.md | 21 +++++++++++++++++-- .../admin-manual/auth/authentication/ldap.md | 2 +- 3 files changed, 39 insertions(+), 5 deletions(-) diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..9a05239d10abd 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,28 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + # specify ldap_use_ssl to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true ``` +> Important for LDAPS: +> +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -250,7 +265,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. ## FAQ diff --git a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md index 464e5c9b52fcd..fdcf429b3bf6e 100644 --- a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md @@ -49,13 +49,28 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ``` ldap_authentication_enabled = true ldap_host = ladp-host - ldap_port = 389 + # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS + ldap_port = 389 ldap_admin_name = uid=admin,o=emr ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr + # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + ldap_use_ssl = true ``` +> Important for LDAPS: +> +> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM. +> +> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. +> +> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file): +> ``` +> # Example for JDK 17 +> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..." +> ``` + 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password: ```sql @@ -250,7 +265,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( ## Known Limitations -- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service. +- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. +- **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. +- **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. ## FAQ diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md index 06692107ceb1a..fdcf429b3bf6e 100644 --- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md @@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr - # specify ldap_use_ssl to true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true ``` From 079f22884601f088b097aa3ff9f0322aad006ae2 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 16 Feb 2026 12:22:22 +0300 Subject: [PATCH 4/8] fix: fixed typo within description of ldap_use_ssl --- docs/admin-manual/auth/authentication/ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 9a05239d10abd..99067ea5b1a3c 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr - # specify ldap_use_ssl to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + # specify ldap_use_sslto true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true ``` From 9819ddd1d804c918d0e7b2bc36007ab3945feb75 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 16 Feb 2026 12:28:15 +0300 Subject: [PATCH 5/8] fix: typo on ldap_use_ssl description --- docs/admin-manual/auth/authentication/ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 99067ea5b1a3c..9486166340b2b 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_user_basedn = ou=people,o=emr ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,o=emr - # specify ldap_use_sslto true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP + # specify ldap_use_ssl to true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true ``` From da7ec15727544840fd9df37f6bcbf80d6e2ca64c Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 16 Feb 2026 12:51:05 +0300 Subject: [PATCH 6/8] first versio of doc for option to disable login with empty pass --- docs/admin-manual/auth/authentication/ldap.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 9486166340b2b..5e4ba4c4d6a91 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -57,6 +57,8 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_group_basedn = ou=group,o=emr # specify ldap_use_ssl to true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` > Important for LDAPS: @@ -146,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -154,8 +162,11 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | + > **About Temporary Users:** > @@ -164,6 +175,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The ldap_allow_empty_pass configuration provides additional security control: +> When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -268,6 +285,7 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( - Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. - **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. - **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ From dadce2b9f66f56bde52f9f195abc9daac87a3c9c Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 16 Feb 2026 12:58:14 +0300 Subject: [PATCH 7/8] fix: next version of documentation for allow_empty_pass option --- docs/admin-manual/auth/authentication/ldap.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md index 5e4ba4c4d6a91..2376657b99f0b 100644 --- a/docs/admin-manual/auth/authentication/ldap.md +++ b/docs/admin-manual/auth/authentication/ldap.md @@ -177,9 +177,9 @@ After enabling LDAP, login behaviors under different user states are as follows: > **About Empty Password Security:** > -> The ldap_allow_empty_pass configuration provides additional security control: -> When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. -> When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. ### Login Examples From a2a830554a52dfb0821dec4073857b609e9234fe Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 16 Feb 2026 13:02:16 +0300 Subject: [PATCH 8/8] add docs for allow_empty_pass option for 3.x and 4.x versions --- .../admin-manual/auth/authentication/ldap.md | 17 +++++++++++++++++ .../admin-manual/auth/authentication/ldap.md | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md index fdcf429b3bf6e..ca0912f451e5d 100644 --- a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md @@ -57,6 +57,8 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_group_basedn = ou=group,o=emr # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` > Important for LDAPS: @@ -146,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -154,8 +162,10 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | > **About Temporary Users:** > @@ -164,6 +174,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -268,6 +284,7 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( - Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. - **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. - **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md index fdcf429b3bf6e..ca0912f451e5d 100644 --- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md +++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md @@ -57,6 +57,8 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L ldap_group_basedn = ou=group,o=emr # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP ldap_use_ssl = true + # specify ldap_allow_empty_pass to false to prohibit login with non specified LDAP password, specify true or comment property to use default behavior and allow login with empty LDAP password + ldap_allow_empty_pass = false ``` > Important for LDAPS: @@ -146,6 +148,12 @@ LDAP authentication means password verification through LDAP service to suppleme 2. If the user doesn't exist in LDAP, it falls back to Doris local password verification. 3. If the LDAP password is correct but there's no corresponding account in Doris, a temporary user is created for login. +> Note on Empty Passwords: +> +> By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). +> This behavior can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. +> With such setting Doris will reject all login attempts with empty password and return an error message. + ### Login Behavior Overview After enabling LDAP, login behaviors under different user states are as follows: @@ -154,8 +162,10 @@ After enabling LDAP, login behaviors under different user states are as follows: | --------- | ---------- | ------------- | ------------ | -------------- | | Exists | Exists | LDAP password | Success | Doris user | | Exists | Exists | Doris password | Failed | - | +| Exists | Exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | Doris user (if allowed) | | Not exists | Exists | Doris password | Success | Doris user | | Exists | Not exists | LDAP password | Success | LDAP temporary user | +| Exists | Not exists | Empty password | Success if `ldap_allow_empty_pass = true`, otherwise Failed | LDAP temporary user (if allowed) | > **About Temporary Users:** > @@ -164,6 +174,12 @@ After enabling LDAP, login behaviors under different user states are as follows: > - Temporary user permissions are determined by LDAP group authorization (see "Group Authorization" section below). > - If temporary users have no corresponding group permissions, they default to `select_priv` on `information_schema`. +> **About Empty Password Security:** +> +> The `ldap_allow_empty_pass` configuration provides additional security control: +> - When `true` (default): Users can accidentally or intentionally log in without a password, which might be convenient for development environments but poses security risks in production. +> - When `false`: Empty passwords are strictly rejected, ensuring all users must provide valid credentials. This is recommended for production environments to prevent unauthorized access. + ### Login Examples The following examples assume LDAP authentication is enabled, configured with `ldap_user_filter = (&(uid={login}))`, and the client has set `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1`. @@ -268,6 +284,7 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP]( - Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally. - **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server. - **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately. +- **Empty password behavior:** By default, Doris allows login with an empty password if the user exists in LDAP (`ldap_allow_empty_pass = true`). This can be disabled by setting `ldap_allow_empty_pass = false` in `ldap.conf`. ## FAQ