[Enhancement] (auth) add configuration to support disable of login with empty LDAP password #60353
Description
Search before asking
- I had searched in the issues and found no similar issues.
Description
In current configuration there is no explicit check, when user provided empty password for LDAP.
Because of this when user exists in LDAP, but password was not provided, then login attempt succeeded due to logic of LDAP protocol.
Unfortunately such behavior is not recommended for secured environment.
So to prevent such situation I'll introduce the change, which will support existing behavior, but will allow to disable login with empty password if needed.
Solution
There was similar issue which was abandoned by its author by some reason - https://github.com/apache/doris/pull/54099/files.
So I would like to introduce similar logic with minor improvements.
The proposed solution is to introduce into configuration new non-mandatory property ldap_allow_empty_pass with default value true.
The default value or explicitly specified true will support existing behavior and existing user will be able to login into LDAP with empty password.
But if false will be specified - the extra check for empty password will be introduced and attempt to login with empty password will be denied.
Also new error code to explicitly identify such situation will be introduced.
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct