Skip to content

[Enhancement] Support LDAP direct bind authentication via DN pattern (backport #71559)#72043

Merged
wanpengfei-git merged 5 commits into
branch-4.0from
mergify/bp/branch-4.0/pr-71559
Apr 30, 2026
Merged

[Enhancement] Support LDAP direct bind authentication via DN pattern (backport #71559)#72043
wanpengfei-git merged 5 commits into
branch-4.0from
mergify/bp/branch-4.0/pr-71559

Conversation

@mergify

@mergify mergify Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Why I'm doing

In the existing LDAP authentication flow, when a user is created without an
explicit DN (e.g. CREATE USER tom IDENTIFIED WITH authentication_ldap_simple),
StarRocks must perform a two-step "search-and-bind": first bind as an admin to
search for the user's DN, then bind again with the user's credentials. This
requires configuring an admin account (bind_root_dn/bind_root_pwd) and granting
it search privileges, which adds operational overhead and may not be desirable
in environments where the user DN structure is predictable.

More importantly, many users integrate with third-party managed LDAP services
(e.g. cloud-hosted LDAP or partner-managed directories) where they do not have
admin privileges to configure a root DN or search account at all. The
search-and-bind mode is simply not viable for these users. Direct bind via DN
pattern provides a lightweight alternative that requires no admin credentials.

What I'm doing

Add a new configuration parameter authentication_ldap_simple_bind_dn_pattern
that enables direct bind authentication. When set, the system constructs the
user DN from the pattern (using ${USER} as a placeholder) and binds directly,
skipping the admin search step entirely.

Key changes:

  • Add authentication_ldap_simple_bind_dn_pattern to FE Config (mutable)
  • Implement authenticateByPattern() in LDAPAuthProvider with multi-pattern
    support (patterns separated by semicolon ;, tried in order)
  • Wire the new parameter through both AuthPlugin (legacy path) and
    SimpleLDAPSecurityIntegration (security integration path)
  • Authentication priority: per-user DN > DN pattern > search-and-bind
  • Add LDAP injection protection via escapeLdapValue() for pattern mode
  • Add unit tests for direct bind, multi-pattern fallback, and edge cases
  • Update documentation (EN/ZH/JA) for ldap_authentication, security_integration,
    and FE_configuration reference

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
    • 3.4

This is an automatic backport of pull request #71559 done by [Mergify](https://mergify.com).

@mergify mergify Bot added the conflicts label Apr 23, 2026
@mergify

mergify Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

Cherry-pick of adee4f3 has failed:

On branch mergify/bp/branch-4.0/pr-71559
Your branch is up to date with 'origin/branch-4.0'.

You are currently cherry-picking commit adee4f37c5.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   docs/en/administration/management/FE_parameters/shared_lake_other.md
	modified:   docs/en/administration/user_privs/authentication/ldap_authentication.md
	modified:   docs/en/administration/user_privs/authentication/security_integration.md
	modified:   docs/en/administration/user_privs/group_provider.md
	modified:   docs/ja/administration/management/FE_parameters/shared_lake_other.md
	modified:   docs/ja/administration/user_privs/authentication/ldap_authentication.md
	modified:   docs/ja/administration/user_privs/authentication/security_integration.md
	modified:   docs/ja/administration/user_privs/group_provider.md
	modified:   docs/zh/administration/management/FE_parameters/shared_lake_other.md
	modified:   docs/zh/administration/user_privs/authentication/ldap_authentication.md
	modified:   docs/zh/administration/user_privs/authentication/security_integration.md
	modified:   docs/zh/administration/user_privs/group_provider.md
	modified:   fe/fe-core/src/main/java/com/starrocks/authentication/LDAPAuthProvider.java
	modified:   fe/fe-core/src/main/java/com/starrocks/authentication/SimpleLDAPSecurityIntegration.java
	modified:   fe/fe-core/src/main/java/com/starrocks/common/Config.java
	modified:   fe/fe-core/src/main/java/com/starrocks/mysql/privilege/AuthPlugin.java
	modified:   fe/fe-core/src/test/java/com/starrocks/authentication/LDAPAuthProviderTest.java
	modified:   test/sql/test_security_integration/R/test_security_integration
	modified:   test/sql/test_security_integration/T/test_security_integration

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   fe/fe-core/src/test/java/com/starrocks/authentication/AuthenticationProviderTest.java
	both modified:   fe/fe-core/src/test/java/com/starrocks/authentication/SecurityIntegrationTest.java

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@github-actions github-actions Bot added documentation Documentation changes automerge labels Apr 23, 2026
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) April 23, 2026 08:10
@mergify mergify Bot closed this Apr 23, 2026
auto-merge was automatically disabled April 23, 2026 08:10

Pull request was closed

@mergify

mergify Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

@mergify[bot]: Backport conflict, please reslove the conflict and resubmit the pr

@jaogoy jaogoy reopened this Apr 24, 2026
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) April 24, 2026 03:04
@github-actions

github-actions Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

🌎 Translation Required?

Thanks for your doc contribution! The following languages are missing or outdated for your changes.

🤖 Automated Translations

If you are fluent in any of the missing languages you can add them. If not, a maintainer can generate the translations below.

Maintainer: Check the ones you wish to generate:

docs/en/data_source/feature-support-data-lake-analytics.md

  • ja for docs/en/data_source/feature-support-data-lake-analytics.md (New)

docs/en/sql-reference/System_variable.md

  • ja for docs/en/sql-reference/System_variable.md (New)

Maintainers: Check boxes and reply with /translate to start.

🕒 Last updated: Thu, 30 Apr 2026 01:59:22 GMT

jaogoy added 3 commits April 24, 2026 14:53
…71559)

Why I'm doing
In the existing LDAP authentication flow, when a user is created without an
explicit DN (e.g. CREATE USER tom IDENTIFIED WITH authentication_ldap_simple),
StarRocks must perform a two-step "search-and-bind": first bind as an admin to
search for the user's DN, then bind again with the user's credentials. This
requires configuring an admin account (bind_root_dn/bind_root_pwd) and granting
it search privileges, which adds operational overhead and may not be desirable
in environments where the user DN structure is predictable.

More importantly, many users integrate with third-party managed LDAP services
(e.g. cloud-hosted LDAP or partner-managed directories) where they do not have
admin privileges to configure a root DN or search account at all. The
search-and-bind mode is simply not viable for these users. Direct bind via DN
pattern provides a lightweight alternative that requires no admin credentials.

What I'm doing
Add a new configuration parameter authentication_ldap_simple_bind_dn_pattern
that enables direct bind authentication. When set, the system constructs the
user DN from the pattern (using ${USER} as a placeholder) and binds directly,
skipping the admin search step entirely.

Key changes:

Add authentication_ldap_simple_bind_dn_pattern to FE Config (mutable)
Implement authenticateByPattern() in LDAPAuthProvider with multi-pattern
support (patterns separated by semicolon ;, tried in order)
Wire the new parameter through both AuthPlugin (legacy path) and
SimpleLDAPSecurityIntegration (security integration path)
Authentication priority: per-user DN > DN pattern > search-and-bind
Add LDAP injection protection via escapeLdapValue() for pattern mode
Add unit tests for direct bind, multi-pattern fallback, and edge cases
Update documentation (EN/ZH/JA) for ldap_authentication, security_integration,
and FE_configuration reference

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
(cherry picked from commit adee4f3)
Signed-off-by: Planck Li <jaogoy@gmail.com>

# Conflicts:
#	fe/fe-core/src/test/java/com/starrocks/authentication/AuthenticationProviderTest.java
#	fe/fe-core/src/test/java/com/starrocks/authentication/SecurityIntegrationTest.java
Removed conflict markers from AuthenticationProviderTest.java.

Signed-off-by: Planck Li <jaogoy@gmail.com>
Removed merge conflict markers and cleaned up the code.

Signed-off-by: Planck Li <jaogoy@gmail.com>
@jaogoy jaogoy force-pushed the mergify/bp/branch-4.0/pr-71559 branch from bd6d50b to 2928de6 Compare April 24, 2026 06:55
Signed-off-by: Planck Li <jaogoy@gmail.com>

Signed-off-by: Planck Li <jaogoy@gmail.com>
@github-actions github-actions Bot added the docs-maintainer Picked up by the weekly docs triage workflow label Apr 29, 2026
The class AccessControlContext does not exist in the source tree;
the same file's earlier tests (lines 99/118) already use ConnectContext,
which has the required getDistinguishedName()/setDistinguishedName()
methods and matches LDAPAuthProvider.authenticate()'s first parameter type.

Signed-off-by: Planck Li <jaogoy@gmail.com>
@wanpengfei-git wanpengfei-git merged commit 3a73352 into branch-4.0 Apr 30, 2026
28 checks passed
@wanpengfei-git wanpengfei-git deleted the mergify/bp/branch-4.0/pr-71559 branch April 30, 2026 02:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automerge conflicts docs-maintainer Picked up by the weekly docs triage workflow documentation Documentation changes version:4.0.11

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants