[BugFix] Fix LDAP authentication bug where empty password can success…

…fully login on AD server (backport #41982) (#42566) ## Why I'm doing: If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied. https://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html ## What I'm doing: Reject empty password. Co-authored-by: gengjun-git <[email protected]>
StarRocks · Mar 13, 2024 · 674b701 · 674b701
1 parent 0b80015
commit 674b701
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java b/fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java
@@ -2,6 +2,7 @@
 
 package com.starrocks.mysql.security;
 
+import com.google.common.base.Strings;
 import com.starrocks.common.Config;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -19,6 +20,11 @@ public class LdapSecurity {
 
     //bind to ldap server to check password
     public static boolean checkPassword(String dn, String password) {
+        if (Strings.isNullOrEmpty(password)) {
+            LOG.warn("empty password is not allowed for simple authentication");
+            return false;
+        }
+
         String url = "ldap://" + Config.authentication_ldap_simple_server_host + ":" +
                 Config.authentication_ldap_simple_server_port;
         Hashtable<String, String> env = new Hashtable<>();
@@ -51,6 +57,11 @@ public static boolean checkPassword(String dn, String password) {
     //2. search user
     //3. if match exactly one, check password
     public static boolean checkPasswordByRoot(String user, String password) {
+        if (Strings.isNullOrEmpty(Config.authentication_ldap_simple_bind_root_pwd)) {
+            LOG.warn("empty password is not allowed for simple authentication");
+            return false;
+        }
+
         String url = "ldap://" + Config.authentication_ldap_simple_server_host + ":" +
                 Config.authentication_ldap_simple_server_port;
         Hashtable<String, String> env = new Hashtable<>();