From 07fc9a4d32823952bdf60f74de26aec1200e9deb Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Thu, 22 Jan 2026 19:02:49 +0300 Subject: [PATCH 01/12] feat: add LDAPS support with configurable SSL/TLS connection --- conf/ldap.conf | 2 ++ .../src/main/java/org/apache/doris/common/LdapConfig.java | 7 +++++++ .../apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index deb1a06a1d0479..9ef4de35776a21 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -42,6 +42,8 @@ ldap_user_basedn = ou=people,dc=domain,dc=com ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,dc=domain,dc=com +## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) +# ldap_use_ssl = false # ldap_user_cache_timeout_s = 5 * 60; # LDAP pool configuration diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 9499fcc2a1b88f..06d814d5627d9b 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -157,4 +157,11 @@ public class LdapConfig extends ConfigBase { */ @ConfigBase.ConfField public static boolean ldap_pool_test_while_idle = true; + + /** + * Flag to enable usage of LDAPS. + */ + @Deprecated + @ConfigBase.ConfField + public static boolean ldap_use_ssl = false; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index d5641ac6c09b82..1c9cc532ace75d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = "ldap://" + NetUtils + String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); contextSource.setUrl(url); @@ -78,7 +78,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = "ldap://" + NetUtils + String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); contextSource.setUrl(url); From e8a3be4fb91e6d85b3a07302ce532a3a23f51699 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Fri, 23 Jan 2026 19:05:25 +0300 Subject: [PATCH 02/12] added test for secure / insecure protocol --- conf/ldap.conf | 3 ++- .../org/apache/doris/common/LdapConfig.java | 1 - .../mysql/authenticate/ldap/LdapClient.java | 11 ++++++---- .../authenticate/ldap/LdapClientTest.java | 21 +++++++++++++++++++ 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index 9ef4de35776a21..c931a889eff360 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -42,9 +42,10 @@ ldap_user_basedn = ou=people,dc=domain,dc=com ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,dc=domain,dc=com +# ldap_user_cache_timeout_s = 5 * 60; + ## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) # ldap_use_ssl = false -# ldap_user_cache_timeout_s = 5 * 60; # LDAP pool configuration # https://docs.spring.io/spring-ldap/docs/2.3.3.RELEASE/reference/#pool-configuration diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 06d814d5627d9b..d7e4648790d22a 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -161,7 +161,6 @@ public class LdapConfig extends ConfigBase { /** * Flag to enable usage of LDAPS. */ - @Deprecated @ConfigBase.ConfField public static boolean ldap_use_ssl = false; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 1c9cc532ace75d..d67af6500cda6f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,8 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + String url = this.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -78,8 +77,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + String url = this.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -108,6 +106,11 @@ private void setLdapTemplatePool(String ldapPassword) { public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } + + public String getURL() { + String url = (LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + } } private void init() { diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 866a84e752819d..3be00009851100 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -95,4 +95,25 @@ public void testGetGroups() { }; Assert.assertEquals(1, ldapClient.getGroups("zhangsan").size()); } + + @Test + public void testSecuredProtocolIsUsed() { + //testing default case with not specified property ldap_use_ssl or it is specified as false + String insecureUrl = ldapClient.getURL(); + Assert.assertNotNull("connection URL should not be null", insecureUrl); + Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, + insecureUrl.startsWith("ldap://")); + + //testing new case with specified property ldap_use_ssl as true + LdapConfig.ldap_use_ssl = true; + String secureUrl = ldapClient.getURL(); + Assert.assertNotNull("connection URL should not be null", secureUrl); + Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, + secureUrl.startsWith("ldaps://")); + } + + @After + public void tearDown() { + LdapConfig.ldap_use_ssl = false; // restoring default value for other tests + } } From 4e3957c90fdaf47e252617f07f2fbe14409790c6 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 13:09:15 +0300 Subject: [PATCH 03/12] fix: refactoring for url construction function --- .../org/apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index d67af6500cda6f..6ff2b762a9753d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -108,8 +108,8 @@ public boolean checkUpdate(String ldapPassword) { } public String getURL() { - String url = (LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } } From 2d19a13391e0c977a775ea953e9ff05065fe8872 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 13:36:41 +0300 Subject: [PATCH 04/12] fix: missing import for code --- .../apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 3be00009851100..363dce6e0c5d54 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -22,6 +22,8 @@ import mockit.Expectations; import mockit.Tested; + +import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.Test; From ae3f639c035a5fc56e59b3418cbe0486acaf099f Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 14:12:51 +0300 Subject: [PATCH 05/12] fix: improve test logic for LDAP connection string --- .../apache/doris/mysql/authenticate/ldap/LdapClient.java | 7 ++++++- .../doris/mysql/authenticate/ldap/LdapClientTest.java | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 6ff2b762a9753d..f21c38de1742cc 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -107,7 +107,7 @@ public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } - public String getURL() { + private String getURL() { return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } @@ -231,6 +231,11 @@ protected String doMapFromContext(DirContextOperations ctx) { } } + @VisibleForTesting + public String getURL() { + return clientInfo.getURL(); + } + private String getUserFilter(String userFilter, String userName) { return userFilter.replaceAll("\\{login}", userName); } diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 363dce6e0c5d54..3e0991eb1ccc55 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -22,7 +22,6 @@ import mockit.Expectations; import mockit.Tested; - import org.junit.After; import org.junit.Assert; import org.junit.Before; From 5971f63839f00ff836dc8b61b3f5be4114168588 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 15:32:51 +0300 Subject: [PATCH 06/12] fix: refactoring getURL method to static one to enable unit testing --- .../doris/mysql/authenticate/ldap/LdapClient.java | 14 +++++--------- .../mysql/authenticate/ldap/LdapClientTest.java | 4 ++-- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index f21c38de1742cc..28c4bad9ce2023 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = this.getURL(); + String url = LdapClient.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -77,7 +77,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = this.getURL(); + String url = LdapClient.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -107,10 +107,6 @@ public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } - private String getURL() { - return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); - } } private void init() { @@ -231,9 +227,9 @@ protected String doMapFromContext(DirContextOperations ctx) { } } - @VisibleForTesting - public String getURL() { - return clientInfo.getURL(); + static String getURL() { + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } private String getUserFilter(String userFilter, String userName) { diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 3e0991eb1ccc55..6e5cef13899b32 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -100,14 +100,14 @@ public void testGetGroups() { @Test public void testSecuredProtocolIsUsed() { //testing default case with not specified property ldap_use_ssl or it is specified as false - String insecureUrl = ldapClient.getURL(); + String insecureUrl = LdapClient.getURL(); Assert.assertNotNull("connection URL should not be null", insecureUrl); Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, insecureUrl.startsWith("ldap://")); //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; - String secureUrl = ldapClient.getURL(); + String secureUrl = LdapClient.getURL(); Assert.assertNotNull("connection URL should not be null", secureUrl); Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); From 22430a0c41d537d7bcf8bee44d39ed38fd07b704 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 15:56:14 +0300 Subject: [PATCH 07/12] fix: total refactoring of getConnectionURL method to support unit testing --- .../java/org/apache/doris/common/LdapConfig.java | 12 ++++++++++++ .../doris/mysql/authenticate/ldap/LdapClient.java | 11 ++++------- .../mysql/authenticate/ldap/LdapClientTest.java | 12 ++++++++---- 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index d7e4648790d22a..0f1b52b4bf952c 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -163,4 +163,16 @@ public class LdapConfig extends ConfigBase { */ @ConfigBase.ConfField public static boolean ldap_use_ssl = false; + + /** + * The method constructs correct URL connection string for specified host and port depending on + * value of ldap_use_ssl property. + * If ldap_use_ssl property is true - LDAPS is used as protocol + * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol + * @param hostPortInAccessibleFormat + * @return + */ + public static String getConnectionURL(String hostPortInAccessibleFormat) { + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + hostPortInAccessibleFormat); + } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 28c4bad9ce2023..7f59744d43614a 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,8 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = LdapClient.getURL(); + String url = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -77,7 +78,8 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = LdapClient.getURL(); + String url = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -227,11 +229,6 @@ protected String doMapFromContext(DirContextOperations ctx) { } } - static String getURL() { - return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); - } - private String getUserFilter(String userFilter, String userName) { return userFilter.replaceAll("\\{login}", userName); } diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 6e5cef13899b32..51d216f04a989c 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -19,6 +19,7 @@ import org.apache.doris.common.Config; import org.apache.doris.common.LdapConfig; +import org.apache.doris.common.util.NetUtils; import mockit.Expectations; import mockit.Tested; @@ -100,16 +101,19 @@ public void testGetGroups() { @Test public void testSecuredProtocolIsUsed() { //testing default case with not specified property ldap_use_ssl or it is specified as false - String insecureUrl = LdapClient.getURL(); + String insecureUrl = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + Assert.assertNotNull("connection URL should not be null", insecureUrl); - Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, + Assert.assertTrue("with ldap_use_ssl = false or not specified URL should start with ldap, but received: " + insecureUrl, insecureUrl.startsWith("ldap://")); //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; - String secureUrl = LdapClient.getURL(); + String secureUrl = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); Assert.assertNotNull("connection URL should not be null", secureUrl); - Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, + Assert.assertTrue("with ldap_use_ssl = true URL should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); } From d3198cdac95fca37134f8bf3da227e2fba6d4e34 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 16:30:08 +0300 Subject: [PATCH 08/12] fix: extra space --- .../src/main/java/org/apache/doris/common/LdapConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 0f1b52b4bf952c..078328a6856c82 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -165,7 +165,7 @@ public class LdapConfig extends ConfigBase { public static boolean ldap_use_ssl = false; /** - * The method constructs correct URL connection string for specified host and port depending on + * The method constructs correct URL connection string for specified host and port depending on * value of ldap_use_ssl property. * If ldap_use_ssl property is true - LDAPS is used as protocol * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol From dcaede11e37f7effbff12b0adbaf1ed750173536 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 17:04:03 +0300 Subject: [PATCH 09/12] fix: indentation --- .../org/apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- .../apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 7f59744d43614a..79248ab0212ecd 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -66,7 +66,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); String url = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -79,7 +79,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); String url = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 51d216f04a989c..0264533327904b 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -111,7 +111,7 @@ public void testSecuredProtocolIsUsed() { //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; String secureUrl = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); Assert.assertNotNull("connection URL should not be null", secureUrl); Assert.assertTrue("with ldap_use_ssl = true URL should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); From 52780d27c0023babf0c89ac476a85742e32d41a8 Mon Sep 17 00:00:00 2001 From: iaorekhov-1980 Date: Thu, 5 Feb 2026 17:03:25 +0300 Subject: [PATCH 10/12] fix: provide improved description for conf/ldap.conf Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- conf/ldap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index c931a889eff360..9388ae7ee50b1e 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -44,7 +44,7 @@ ldap_group_basedn = ou=group,dc=domain,dc=com # ldap_user_cache_timeout_s = 5 * 60; -## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) +## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default). Note: When enabling SSL, ensure ldap_port is set appropriately (typically 636 for LDAPS instead of 389 for LDAP). # ldap_use_ssl = false # LDAP pool configuration From 4896cd54228883cf9038c733b92113db2f0c2f6c Mon Sep 17 00:00:00 2001 From: iaorekhov-1980 Date: Thu, 5 Feb 2026 17:04:44 +0300 Subject: [PATCH 11/12] fix: fixing javadoc for LdapConfig.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../java/org/apache/doris/common/LdapConfig.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 078328a6856c82..881840696dcde8 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -165,12 +165,12 @@ public class LdapConfig extends ConfigBase { public static boolean ldap_use_ssl = false; /** - * The method constructs correct URL connection string for specified host and port depending on - * value of ldap_use_ssl property. - * If ldap_use_ssl property is true - LDAPS is used as protocol - * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol - * @param hostPortInAccessibleFormat - * @return + * The method constructs the correct URL connection string for the specified host and port depending on + * the value of the {@code ldap_use_ssl} property. + * If {@code ldap_use_ssl} is true, LDAPS is used as the protocol. + * If {@code ldap_use_ssl} is false or not specified, LDAP is used as the protocol. + * @param hostPortInAccessibleFormat the host and port in accessible format (for example, "host:port") + * @return the LDAP or LDAPS connection URL string */ public static String getConnectionURL(String hostPortInAccessibleFormat) { return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + hostPortInAccessibleFormat); From c4c0070b8e6e9a47d2e5fae6f20d4ff0f5d720d9 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Thu, 5 Feb 2026 17:15:05 +0300 Subject: [PATCH 12/12] fix: increased test quality by improving setUp method --- .../org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 0264533327904b..c0d6c36f83ba99 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -45,6 +45,7 @@ public void setUp() { LdapConfig.ldap_user_basedn = "dc=baidu,dc=com"; LdapConfig.ldap_group_basedn = "ou=group,dc=baidu,dc=com"; LdapConfig.ldap_user_filter = "(&(uid={login}))"; + LdapConfig.ldap_use_ssl = false; } @Test