From f67ea1db6bc29e31a2758deb4e3615ee02d6908c Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Thu, 22 Jan 2026 19:02:49 +0300 Subject: [PATCH 01/18] feat: add LDAPS support with configurable SSL/TLS connection --- conf/ldap.conf | 2 ++ .../src/main/java/org/apache/doris/common/LdapConfig.java | 7 +++++++ .../apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index deb1a06a1d0479..9ef4de35776a21 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -42,6 +42,8 @@ ldap_user_basedn = ou=people,dc=domain,dc=com ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,dc=domain,dc=com +## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) +# ldap_use_ssl = false # ldap_user_cache_timeout_s = 5 * 60; # LDAP pool configuration diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 9499fcc2a1b88f..06d814d5627d9b 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -157,4 +157,11 @@ public class LdapConfig extends ConfigBase { */ @ConfigBase.ConfField public static boolean ldap_pool_test_while_idle = true; + + /** + * Flag to enable usage of LDAPS. + */ + @Deprecated + @ConfigBase.ConfField + public static boolean ldap_use_ssl = false; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index d5641ac6c09b82..1c9cc532ace75d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = "ldap://" + NetUtils + String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); contextSource.setUrl(url); @@ -78,7 +78,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = "ldap://" + NetUtils + String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); contextSource.setUrl(url); From f34a6e939e44eb44038c5d46ece21ea9e4028bae Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Fri, 23 Jan 2026 19:05:25 +0300 Subject: [PATCH 02/18] added test for secure / insecure protocol --- conf/ldap.conf | 3 ++- .../org/apache/doris/common/LdapConfig.java | 1 - .../mysql/authenticate/ldap/LdapClient.java | 11 ++++++---- .../authenticate/ldap/LdapClientTest.java | 21 +++++++++++++++++++ 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index 9ef4de35776a21..c931a889eff360 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -42,9 +42,10 @@ ldap_user_basedn = ou=people,dc=domain,dc=com ldap_user_filter = (&(uid={login})) ldap_group_basedn = ou=group,dc=domain,dc=com +# ldap_user_cache_timeout_s = 5 * 60; + ## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) # ldap_use_ssl = false -# ldap_user_cache_timeout_s = 5 * 60; # LDAP pool configuration # https://docs.spring.io/spring-ldap/docs/2.3.3.RELEASE/reference/#pool-configuration diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 06d814d5627d9b..d7e4648790d22a 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -161,7 +161,6 @@ public class LdapConfig extends ConfigBase { /** * Flag to enable usage of LDAPS. */ - @Deprecated @ConfigBase.ConfField public static boolean ldap_use_ssl = false; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 1c9cc532ace75d..d67af6500cda6f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,8 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + String url = this.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -78,8 +77,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = (LdapConfig.ldap_use_ssl ? "ldaps://" : "ldap://") + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + String url = this.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -108,6 +106,11 @@ private void setLdapTemplatePool(String ldapPassword) { public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } + + public String getURL() { + String url = (LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + } } private void init() { diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 866a84e752819d..3be00009851100 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -95,4 +95,25 @@ public void testGetGroups() { }; Assert.assertEquals(1, ldapClient.getGroups("zhangsan").size()); } + + @Test + public void testSecuredProtocolIsUsed() { + //testing default case with not specified property ldap_use_ssl or it is specified as false + String insecureUrl = ldapClient.getURL(); + Assert.assertNotNull("connection URL should not be null", insecureUrl); + Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, + insecureUrl.startsWith("ldap://")); + + //testing new case with specified property ldap_use_ssl as true + LdapConfig.ldap_use_ssl = true; + String secureUrl = ldapClient.getURL(); + Assert.assertNotNull("connection URL should not be null", secureUrl); + Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, + secureUrl.startsWith("ldaps://")); + } + + @After + public void tearDown() { + LdapConfig.ldap_use_ssl = false; // restoring default value for other tests + } } From 7a9be139538ec92f1033b4fce092252a55499e13 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 13:09:15 +0300 Subject: [PATCH 03/18] fix: refactoring for url construction function --- .../org/apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index d67af6500cda6f..6ff2b762a9753d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -108,8 +108,8 @@ public boolean checkUpdate(String ldapPassword) { } public String getURL() { - String url = (LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port); + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } } From ae55c341abb1962f7048a4b48fc8db67b67baab1 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 13:36:41 +0300 Subject: [PATCH 04/18] fix: missing import for code --- .../apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 3be00009851100..363dce6e0c5d54 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -22,6 +22,8 @@ import mockit.Expectations; import mockit.Tested; + +import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.Test; From c07f48a57478a392872703d64696821ace623575 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 14:12:51 +0300 Subject: [PATCH 05/18] fix: improve test logic for LDAP connection string --- .../apache/doris/mysql/authenticate/ldap/LdapClient.java | 7 ++++++- .../doris/mysql/authenticate/ldap/LdapClientTest.java | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 6ff2b762a9753d..f21c38de1742cc 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -107,7 +107,7 @@ public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } - public String getURL() { + private String getURL() { return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } @@ -231,6 +231,11 @@ protected String doMapFromContext(DirContextOperations ctx) { } } + @VisibleForTesting + public String getURL() { + return clientInfo.getURL(); + } + private String getUserFilter(String userFilter, String userName) { return userFilter.replaceAll("\\{login}", userName); } diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 363dce6e0c5d54..3e0991eb1ccc55 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -22,7 +22,6 @@ import mockit.Expectations; import mockit.Tested; - import org.junit.After; import org.junit.Assert; import org.junit.Before; From 8736e047107a2b09766e3be1cbf521047c89734c Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 15:32:51 +0300 Subject: [PATCH 06/18] fix: refactoring getURL method to static one to enable unit testing --- .../doris/mysql/authenticate/ldap/LdapClient.java | 14 +++++--------- .../mysql/authenticate/ldap/LdapClientTest.java | 4 ++-- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index f21c38de1742cc..28c4bad9ce2023 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = this.getURL(); + String url = LdapClient.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -77,7 +77,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = this.getURL(); + String url = LdapClient.getURL(); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -107,10 +107,6 @@ public boolean checkUpdate(String ldapPassword) { return this.ldapPassword == null || !this.ldapPassword.equals(ldapPassword); } - private String getURL() { - return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); - } } private void init() { @@ -231,9 +227,9 @@ protected String doMapFromContext(DirContextOperations ctx) { } } - @VisibleForTesting - public String getURL() { - return clientInfo.getURL(); + static String getURL() { + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils + .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); } private String getUserFilter(String userFilter, String userName) { diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 3e0991eb1ccc55..6e5cef13899b32 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -100,14 +100,14 @@ public void testGetGroups() { @Test public void testSecuredProtocolIsUsed() { //testing default case with not specified property ldap_use_ssl or it is specified as false - String insecureUrl = ldapClient.getURL(); + String insecureUrl = LdapClient.getURL(); Assert.assertNotNull("connection URL should not be null", insecureUrl); Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, insecureUrl.startsWith("ldap://")); //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; - String secureUrl = ldapClient.getURL(); + String secureUrl = LdapClient.getURL(); Assert.assertNotNull("connection URL should not be null", secureUrl); Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); From 7d3f5851dd03df883d49aa40439e31b793081ee6 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 15:56:14 +0300 Subject: [PATCH 07/18] fix: total refactoring of getConnectionURL method to support unit testing --- .../java/org/apache/doris/common/LdapConfig.java | 12 ++++++++++++ .../doris/mysql/authenticate/ldap/LdapClient.java | 11 ++++------- .../mysql/authenticate/ldap/LdapClientTest.java | 12 ++++++++---- 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index d7e4648790d22a..0f1b52b4bf952c 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -163,4 +163,16 @@ public class LdapConfig extends ConfigBase { */ @ConfigBase.ConfField public static boolean ldap_use_ssl = false; + + /** + * The method constructs correct URL connection string for specified host and port depending on + * value of ldap_use_ssl property. + * If ldap_use_ssl property is true - LDAPS is used as protocol + * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol + * @param hostPortInAccessibleFormat + * @return + */ + public static String getConnectionURL(String hostPortInAccessibleFormat) { + return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + hostPortInAccessibleFormat); + } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 28c4bad9ce2023..7f59744d43614a 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -65,7 +65,8 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = LdapClient.getURL(); + String url = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -77,7 +78,8 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); - String url = LdapClient.getURL(); + String url = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -227,11 +229,6 @@ protected String doMapFromContext(DirContextOperations ctx) { } } - static String getURL() { - return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + NetUtils - .getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); - } - private String getUserFilter(String userFilter, String userName) { return userFilter.replaceAll("\\{login}", userName); } diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 6e5cef13899b32..51d216f04a989c 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -19,6 +19,7 @@ import org.apache.doris.common.Config; import org.apache.doris.common.LdapConfig; +import org.apache.doris.common.util.NetUtils; import mockit.Expectations; import mockit.Tested; @@ -100,16 +101,19 @@ public void testGetGroups() { @Test public void testSecuredProtocolIsUsed() { //testing default case with not specified property ldap_use_ssl or it is specified as false - String insecureUrl = LdapClient.getURL(); + String insecureUrl = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + Assert.assertNotNull("connection URL should not be null", insecureUrl); - Assert.assertTrue("with ldap_use_ssl connection = false or not specified URL should start with ldap, but received: " + insecureUrl, + Assert.assertTrue("with ldap_use_ssl = false or not specified URL should start with ldap, but received: " + insecureUrl, insecureUrl.startsWith("ldap://")); //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; - String secureUrl = LdapClient.getURL(); + String secureUrl = LdapConfig.getConnectionURL( + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); Assert.assertNotNull("connection URL should not be null", secureUrl); - Assert.assertTrue("with ldap_use_ssl = true URL connection should start with ldaps, but received: " + secureUrl, + Assert.assertTrue("with ldap_use_ssl = true URL should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); } From d84c82b3e8f6e7f452902a6df1d8550070af644f Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 16:30:08 +0300 Subject: [PATCH 08/18] fix: extra space --- .../src/main/java/org/apache/doris/common/LdapConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 0f1b52b4bf952c..078328a6856c82 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -165,7 +165,7 @@ public class LdapConfig extends ConfigBase { public static boolean ldap_use_ssl = false; /** - * The method constructs correct URL connection string for specified host and port depending on + * The method constructs correct URL connection string for specified host and port depending on * value of ldap_use_ssl property. * If ldap_use_ssl property is true - LDAPS is used as protocol * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol From 4169fc1c9ca4c8c724e979027cca692e3e8a3dd6 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 27 Jan 2026 17:04:03 +0300 Subject: [PATCH 09/18] fix: indentation --- .../org/apache/doris/mysql/authenticate/ldap/LdapClient.java | 4 ++-- .../apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java index 7f59744d43614a..79248ab0212ecd 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java @@ -66,7 +66,7 @@ public ClientInfo(String ldapPassword) { private void setLdapTemplateNoPool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); String url = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); @@ -79,7 +79,7 @@ private void setLdapTemplateNoPool(String ldapPassword) { private void setLdapTemplatePool(String ldapPassword) { LdapContextSource contextSource = new LdapContextSource(); String url = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); contextSource.setUrl(url); contextSource.setUserDn(LdapConfig.ldap_admin_name); diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 51d216f04a989c..0264533327904b 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -111,7 +111,7 @@ public void testSecuredProtocolIsUsed() { //testing new case with specified property ldap_use_ssl as true LdapConfig.ldap_use_ssl = true; String secureUrl = LdapConfig.getConnectionURL( - NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); + NetUtils.getHostPortInAccessibleFormat(LdapConfig.ldap_host, LdapConfig.ldap_port)); Assert.assertNotNull("connection URL should not be null", secureUrl); Assert.assertTrue("with ldap_use_ssl = true URL should start with ldaps, but received: " + secureUrl, secureUrl.startsWith("ldaps://")); From 5e6b9d94e8771372bebda98f720bc7ade31afc66 Mon Sep 17 00:00:00 2001 From: iaorekhov-1980 Date: Thu, 5 Feb 2026 17:03:25 +0300 Subject: [PATCH 10/18] fix: provide improved description for conf/ldap.conf Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- conf/ldap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/ldap.conf b/conf/ldap.conf index c931a889eff360..9388ae7ee50b1e 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -44,7 +44,7 @@ ldap_group_basedn = ou=group,dc=domain,dc=com # ldap_user_cache_timeout_s = 5 * 60; -## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default) +## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default). Note: When enabling SSL, ensure ldap_port is set appropriately (typically 636 for LDAPS instead of 389 for LDAP). # ldap_use_ssl = false # LDAP pool configuration From 34222fd13747ed147ca99095c286bd62b1c41673 Mon Sep 17 00:00:00 2001 From: iaorekhov-1980 Date: Thu, 5 Feb 2026 17:04:44 +0300 Subject: [PATCH 11/18] fix: fixing javadoc for LdapConfig.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../java/org/apache/doris/common/LdapConfig.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 078328a6856c82..881840696dcde8 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -165,12 +165,12 @@ public class LdapConfig extends ConfigBase { public static boolean ldap_use_ssl = false; /** - * The method constructs correct URL connection string for specified host and port depending on - * value of ldap_use_ssl property. - * If ldap_use_ssl property is true - LDAPS is used as protocol - * If ldap_use_ssl_property is false or not specified - LDAP is used as protocol - * @param hostPortInAccessibleFormat - * @return + * The method constructs the correct URL connection string for the specified host and port depending on + * the value of the {@code ldap_use_ssl} property. + * If {@code ldap_use_ssl} is true, LDAPS is used as the protocol. + * If {@code ldap_use_ssl} is false or not specified, LDAP is used as the protocol. + * @param hostPortInAccessibleFormat the host and port in accessible format (for example, "host:port") + * @return the LDAP or LDAPS connection URL string */ public static String getConnectionURL(String hostPortInAccessibleFormat) { return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + hostPortInAccessibleFormat); From 89ad517796e64d2835b7e4ba9f7d4c84b141d428 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Thu, 5 Feb 2026 17:15:05 +0300 Subject: [PATCH 12/18] fix: increased test quality by improving setUp method --- .../org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java index 0264533327904b..c0d6c36f83ba99 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java @@ -45,6 +45,7 @@ public void setUp() { LdapConfig.ldap_user_basedn = "dc=baidu,dc=com"; LdapConfig.ldap_group_basedn = "ou=group,dc=baidu,dc=com"; LdapConfig.ldap_user_filter = "(&(uid={login}))"; + LdapConfig.ldap_use_ssl = false; } @Test From f91f7d303df100c6484c66b0a37bd07a19ba10ec Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 26 Jan 2026 15:02:43 +0300 Subject: [PATCH 13/18] feat: add property to manage usage of empty pass for login --- conf/ldap.conf | 3 +++ .../src/main/java/org/apache/doris/common/LdapConfig.java | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/conf/ldap.conf b/conf/ldap.conf index 9388ae7ee50b1e..15a62c9134f159 100644 --- a/conf/ldap.conf +++ b/conf/ldap.conf @@ -47,6 +47,9 @@ ldap_group_basedn = ou=group,dc=domain,dc=com ## ldap_use_ssl - use secured connection to LDAP server if required (disabled by default). Note: When enabling SSL, ensure ldap_port is set appropriately (typically 636 for LDAPS instead of 389 for LDAP). # ldap_use_ssl = false +## ldap_allow_empty_pass - allow to connect to ldap with empty pass (enabled by default) +# ldap_allow_empty_pass = true + # LDAP pool configuration # https://docs.spring.io/spring-ldap/docs/2.3.3.RELEASE/reference/#pool-configuration # ldap_pool_max_active = 8 diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java index 881840696dcde8..d169d93cbd5382 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java @@ -175,4 +175,10 @@ public class LdapConfig extends ConfigBase { public static String getConnectionURL(String hostPortInAccessibleFormat) { return ((LdapConfig.ldap_use_ssl ? "ldaps" : "ldap") + "://" + hostPortInAccessibleFormat); } + + /** + * Flag to enable login with empty pass. + */ + @ConfigBase.ConfField + public static boolean ldap_allow_empty_pass = true; } From 995b91d653939b95a426f69d1ca4446b74d3d9ec Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 26 Jan 2026 15:54:10 +0300 Subject: [PATCH 14/18] feat: added logic and test to support allow_empty_pass mode --- .../org/apache/doris/common/ErrorCode.java | 5 +++- .../authenticate/ldap/LdapAuthenticator.java | 10 ++++++- .../apache/doris/mysql/privilege/Auth.java | 7 +++++ .../ldap/LdapAuthenticatorTest.java | 26 +++++++++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index a678c2b38f9562..c60088c41fc3ac 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -1233,7 +1233,10 @@ public enum ErrorCode { ERR_NO_CLUSTER_ERROR(5099, new byte[]{'4', '2', '0', '0', '0'}, "No compute group (cloud cluster) selected"), ERR_NOT_CLOUD_MODE(6000, new byte[]{'4', '2', '0', '0', '0'}, - "Command only support in cloud mode."); + "Command only support in cloud mode."), + + ERR_EMPTY_PASSWORD(6001, new byte[]{'4', '2', '0', '0', '0'}, + "Access with empty password is prohibited for user %s because of current mode"); // This is error code private final int code; diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java index cd9cef469d2520..c9335bc30cd177 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java @@ -22,6 +22,7 @@ import org.apache.doris.cluster.ClusterNamespace; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; +import org.apache.doris.common.LdapConfig; import org.apache.doris.mysql.authenticate.AuthenticateRequest; import org.apache.doris.mysql.authenticate.AuthenticateResponse; import org.apache.doris.mysql.authenticate.Authenticator; @@ -84,7 +85,7 @@ public boolean canDeal(String qualifiedUser) { /** * The LDAP authentication process is as follows: - * step1: Check the LDAP password. + * step1: Check the LDAP password (depending on value of property LdapConfig.ldap_allow_empty_pass login with empty pass can be prohibited). * step2: Get the LDAP groups privileges as a role, saved into ConnectContext. * step3: Set current userIdentity. If the user account does not exist in Doris, login as a temporary user. * Otherwise, login to the Doris account. @@ -96,6 +97,13 @@ private AuthenticateResponse internalAuthenticate(String password, String qualif LOG.debug("user:{}", userName); } + //not allow to login in case when empty password is specified but such mode is disabled by configuration + if (Strings.isNullOrEmpty(password) && !LdapConfig.ldap_allow_empty_pass) { + LOG.info("user:{} is not allowed to login with LDAP with empty password because of ldap_allow_empty_pass is {}", userName, LdapConfig.ldap_allow_empty_pass); + ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser + "@" + remoteIp); + return AuthenticateResponse.failedResponse; + } + // check user password by ldap server. try { if (!Env.getCurrentEnv().getAuth().getLdapManager().checkUserPasswd(qualifiedUser, password)) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java index dbfaaa15c2d49d..3ea2c990fd2523 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java @@ -39,6 +39,7 @@ import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeConstants; +import org.apache.doris.common.LdapConfig; import org.apache.doris.common.Pair; import org.apache.doris.common.PatternMatcherException; import org.apache.doris.common.UserException; @@ -46,6 +47,7 @@ import org.apache.doris.datasource.CatalogIf; import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.MysqlPassword; +import org.apache.doris.mysql.authenticate.AuthenticateResponse; import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.authenticate.ldap.LdapManager; import org.apache.doris.mysql.authenticate.ldap.LdapUserInfo; @@ -228,6 +230,11 @@ public void checkPlainPassword(String remoteUser, String remoteHost, String remo List currentUser) throws AuthenticationException { // Check the LDAP password when the user exists in the LDAP service. if (ldapManager.doesUserExist(remoteUser)) { + //not allow to login in case when empty password is specified but such mode is disabled by configuration + if (Strings.isNullOrEmpty(remotePasswd) && !LdapConfig.ldap_allow_empty_pass) { + throw new AuthenticationException(ErrorCode.ERR_EMPTY_PASSWORD, remoteUser + "@" + remoteHost); + } + if (!ldapManager.checkUserPasswd(remoteUser, remotePasswd, remoteHost, currentUser)) { throw new AuthenticationException(ErrorCode.ERR_ACCESS_DENIED_ERROR, remoteUser + "@" + remoteHost, Strings.isNullOrEmpty(remotePasswd) ? "NO" : "YES"); diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java index 99cbcdb5fad643..d7bee2514ba6ce 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java @@ -18,6 +18,7 @@ package org.apache.doris.mysql.authenticate.ldap; import org.apache.doris.analysis.UserIdentity; +import org.apache.doris.common.LdapConfig; import org.apache.doris.mysql.authenticate.AuthenticateRequest; import org.apache.doris.mysql.authenticate.AuthenticateResponse; import org.apache.doris.mysql.authenticate.password.ClearPassword; @@ -27,6 +28,8 @@ import com.google.common.collect.Lists; import mockit.Expectations; import mockit.Mocked; + +import org.junit.After; import org.junit.Assert; import org.junit.Test; @@ -143,4 +146,27 @@ public void testCanDeal() { public void testGetPasswordResolver() { Assert.assertTrue(ldapAuthenticator.getPasswordResolver() instanceof ClearPasswordResolver); } + + @Test + public void testEmptyPassword() throws IOException { + setCheckPassword(true); + setGetUserInDoris(true); + AuthenticateRequest request = new AuthenticateRequest(USER_NAME, new ClearPassword(""), IP); + //running test with non-specified value - ldap_allow_empty_pass should be true + AuthenticateResponse response = ldapAuthenticator.authenticate(request); + Assert.assertTrue(response.isSuccess()); + //running test with specified value - true - ldap_allow_empty_pass is explicitly set to true + LdapConfig.ldap_allow_empty_pass = true; + response = ldapAuthenticator.authenticate(request); + Assert.assertTrue(response.isSuccess()); + //running test with specified value - false - ldap_allow_empty_pass is explicitly set to false + LdapConfig.ldap_allow_empty_pass = false; + response = ldapAuthenticator.authenticate(request); + Assert.assertFalse(response.isSuccess()); + } + + @After + public void tearDown() { + LdapConfig.ldap_allow_empty_pass = true; // restoring default value for other tests + } } From 4e26bf03168b531deb02fdcf9d0fa6035bc524ab Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Thu, 29 Jan 2026 18:28:29 +0300 Subject: [PATCH 15/18] fix: fixing indentation --- .../src/main/java/org/apache/doris/common/ErrorCode.java | 2 +- .../doris/mysql/authenticate/ldap/LdapAuthenticator.java | 5 +++-- .../src/main/java/org/apache/doris/mysql/privilege/Auth.java | 1 - .../doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java | 3 +-- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index c60088c41fc3ac..0707a2ccfe7631 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -1236,7 +1236,7 @@ public enum ErrorCode { "Command only support in cloud mode."), ERR_EMPTY_PASSWORD(6001, new byte[]{'4', '2', '0', '0', '0'}, - "Access with empty password is prohibited for user %s because of current mode"); + "Access with empty password is prohibited for user %s because of current mode"); // This is error code private final int code; diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java index c9335bc30cd177..2098680e97cd35 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java @@ -85,7 +85,7 @@ public boolean canDeal(String qualifiedUser) { /** * The LDAP authentication process is as follows: - * step1: Check the LDAP password (depending on value of property LdapConfig.ldap_allow_empty_pass login with empty pass can be prohibited). + * step1: Check the LDAP password (if ldap_allow_empty_pass is false login with empty pass is prohibited). * step2: Get the LDAP groups privileges as a role, saved into ConnectContext. * step3: Set current userIdentity. If the user account does not exist in Doris, login as a temporary user. * Otherwise, login to the Doris account. @@ -99,7 +99,8 @@ private AuthenticateResponse internalAuthenticate(String password, String qualif //not allow to login in case when empty password is specified but such mode is disabled by configuration if (Strings.isNullOrEmpty(password) && !LdapConfig.ldap_allow_empty_pass) { - LOG.info("user:{} is not allowed to login with LDAP with empty password because of ldap_allow_empty_pass is {}", userName, LdapConfig.ldap_allow_empty_pass); + LOG.info("user:{} is not allowed to login to LDAP with empty password because ldap_allow_empty_pass:{}", + userName, LdapConfig.ldap_allow_empty_pass); ErrorReport.report(ErrorCode.ERR_EMPTY_PASSWORD, qualifiedUser + "@" + remoteIp); return AuthenticateResponse.failedResponse; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java index 3ea2c990fd2523..48f4d431c89d1c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java @@ -47,7 +47,6 @@ import org.apache.doris.datasource.CatalogIf; import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.MysqlPassword; -import org.apache.doris.mysql.authenticate.AuthenticateResponse; import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.authenticate.ldap.LdapManager; import org.apache.doris.mysql.authenticate.ldap.LdapUserInfo; diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java index d7bee2514ba6ce..17dea744b17d73 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java @@ -28,7 +28,6 @@ import com.google.common.collect.Lists; import mockit.Expectations; import mockit.Mocked; - import org.junit.After; import org.junit.Assert; import org.junit.Test; @@ -162,7 +161,7 @@ public void testEmptyPassword() throws IOException { //running test with specified value - false - ldap_allow_empty_pass is explicitly set to false LdapConfig.ldap_allow_empty_pass = false; response = ldapAuthenticator.authenticate(request); - Assert.assertFalse(response.isSuccess()); + Assert.assertFalse(response.isSuccess()); } @After From 9780921f12d9e0edc33695e453cc7b52e70af982 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Fri, 30 Jan 2026 10:04:53 +0300 Subject: [PATCH 16/18] fix: fix indentation --- .../doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java index 17dea744b17d73..86fd577021df4b 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java @@ -161,7 +161,7 @@ public void testEmptyPassword() throws IOException { //running test with specified value - false - ldap_allow_empty_pass is explicitly set to false LdapConfig.ldap_allow_empty_pass = false; response = ldapAuthenticator.authenticate(request); - Assert.assertFalse(response.isSuccess()); + Assert.assertFalse(response.isSuccess()); } @After From bef580bf2a150f5e0c385bbb3f0a376309e2bf56 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Fri, 6 Feb 2026 13:49:43 +0300 Subject: [PATCH 17/18] fix: improve test to restore property before test --- .../mysql/authenticate/ldap/LdapAuthenticatorTest.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java index 86fd577021df4b..4a1a96c1ddaf8b 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java @@ -29,6 +29,7 @@ import mockit.Expectations; import mockit.Mocked; import org.junit.After; +import org.junit.Before; import org.junit.Assert; import org.junit.Test; @@ -168,4 +169,9 @@ public void testEmptyPassword() throws IOException { public void tearDown() { LdapConfig.ldap_allow_empty_pass = true; // restoring default value for other tests } + + @Before + public void setUp() { + LdapConfig.ldap_allow_empty_pass = true; //restoring default value for other tests + } } From 5ca3f3dbd77a6a27be7fbcb730efdc949c1a22a9 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Fri, 6 Feb 2026 19:22:43 +0300 Subject: [PATCH 18/18] fix import order --- .../doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java index 4a1a96c1ddaf8b..5a17a3caa80f31 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorTest.java @@ -29,8 +29,8 @@ import mockit.Expectations; import mockit.Mocked; import org.junit.After; -import org.junit.Before; import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import java.io.IOException;