[Enhancement] Support LDAP direct bind authentication via DN pattern (backport #71559)#72043
Merged
Merged
Conversation
Contributor
Author
|
Cherry-pick of adee4f3 has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
Contributor
Author
|
@mergify[bot]: Backport conflict, please reslove the conflict and resubmit the pr |
Contributor
🌎 Translation Required?Thanks for your doc contribution! The following languages are missing or outdated for your changes. 🤖 Automated TranslationsIf you are fluent in any of the missing languages you can add them. If not, a maintainer can generate the translations below. Maintainer: Check the ones you wish to generate:
|
…71559) Why I'm doing In the existing LDAP authentication flow, when a user is created without an explicit DN (e.g. CREATE USER tom IDENTIFIED WITH authentication_ldap_simple), StarRocks must perform a two-step "search-and-bind": first bind as an admin to search for the user's DN, then bind again with the user's credentials. This requires configuring an admin account (bind_root_dn/bind_root_pwd) and granting it search privileges, which adds operational overhead and may not be desirable in environments where the user DN structure is predictable. More importantly, many users integrate with third-party managed LDAP services (e.g. cloud-hosted LDAP or partner-managed directories) where they do not have admin privileges to configure a root DN or search account at all. The search-and-bind mode is simply not viable for these users. Direct bind via DN pattern provides a lightweight alternative that requires no admin credentials. What I'm doing Add a new configuration parameter authentication_ldap_simple_bind_dn_pattern that enables direct bind authentication. When set, the system constructs the user DN from the pattern (using ${USER} as a placeholder) and binds directly, skipping the admin search step entirely. Key changes: Add authentication_ldap_simple_bind_dn_pattern to FE Config (mutable) Implement authenticateByPattern() in LDAPAuthProvider with multi-pattern support (patterns separated by semicolon ;, tried in order) Wire the new parameter through both AuthPlugin (legacy path) and SimpleLDAPSecurityIntegration (security integration path) Authentication priority: per-user DN > DN pattern > search-and-bind Add LDAP injection protection via escapeLdapValue() for pattern mode Add unit tests for direct bind, multi-pattern fallback, and edge cases Update documentation (EN/ZH/JA) for ldap_authentication, security_integration, and FE_configuration reference Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> (cherry picked from commit adee4f3) Signed-off-by: Planck Li <jaogoy@gmail.com> # Conflicts: # fe/fe-core/src/test/java/com/starrocks/authentication/AuthenticationProviderTest.java # fe/fe-core/src/test/java/com/starrocks/authentication/SecurityIntegrationTest.java
Removed conflict markers from AuthenticationProviderTest.java. Signed-off-by: Planck Li <jaogoy@gmail.com>
Removed merge conflict markers and cleaned up the code. Signed-off-by: Planck Li <jaogoy@gmail.com>
bd6d50b to
2928de6
Compare
HangyuanLiu
approved these changes
Apr 27, 2026
wangsimo0
approved these changes
Apr 27, 2026
Signed-off-by: Planck Li <jaogoy@gmail.com> Signed-off-by: Planck Li <jaogoy@gmail.com>
The class AccessControlContext does not exist in the source tree; the same file's earlier tests (lines 99/118) already use ConnectContext, which has the required getDistinguishedName()/setDistinguishedName() methods and matches LDAPAuthProvider.authenticate()'s first parameter type. Signed-off-by: Planck Li <jaogoy@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I'm doing
In the existing LDAP authentication flow, when a user is created without an
explicit DN (e.g.
CREATE USER tom IDENTIFIED WITH authentication_ldap_simple),StarRocks must perform a two-step "search-and-bind": first bind as an admin to
search for the user's DN, then bind again with the user's credentials. This
requires configuring an admin account (bind_root_dn/bind_root_pwd) and granting
it search privileges, which adds operational overhead and may not be desirable
in environments where the user DN structure is predictable.
More importantly, many users integrate with third-party managed LDAP services
(e.g. cloud-hosted LDAP or partner-managed directories) where they do not have
admin privileges to configure a root DN or search account at all. The
search-and-bind mode is simply not viable for these users. Direct bind via DN
pattern provides a lightweight alternative that requires no admin credentials.
What I'm doing
Add a new configuration parameter
authentication_ldap_simple_bind_dn_patternthat enables direct bind authentication. When set, the system constructs the
user DN from the pattern (using
${USER}as a placeholder) and binds directly,skipping the admin search step entirely.
Key changes:
authentication_ldap_simple_bind_dn_patternto FE Config (mutable)authenticateByPattern()in LDAPAuthProvider with multi-patternsupport (patterns separated by semicolon
;, tried in order)SimpleLDAPSecurityIntegration (security integration path)
escapeLdapValue()for pattern modeand FE_configuration reference
What type of PR is this:
Does this PR entail a change in behavior?
If yes, please specify the type of change:
Checklist:
Bugfix cherry-pick branch check:
This is an automatic backport of pull request #71559 done by [Mergify](https://mergify.com).