JWuCines opened a new pull request, #19432:
URL: https://github.com/apache/druid/pull/19432
### Description
When using LDAP servers that do not return the `memberOf` attribute in user
search results, group-based authorization denies all requests because Druid
cannot determine the user's group memberships. This is a known issue with LDAP
servers such as OpenLDAP, where `memberOf` is either not enabled by default (it
requires the `memberof` overlay module) or is stored as an operational
attribute that Java JNDI cannot retrieve — even when `ldapsearch` returns it
correctly.
This PR adds an optional reverse group lookup mechanism to
`LDAPCredentialsValidator`. When configured, if the user search does not return
a `memberOf` attribute, Druid searches group entries to find which groups
contain the user's DN and injects the resolved group DNs as synthetic
`memberOf` values into the `SearchResult`. The existing `LDAPRoleProvider`
(authorizer) then processes these groups as usual, requiring no changes.
The feature is disabled by default. It activates only when both
`groupBaseDn` and `groupSearch` are configured and the user search result lacks
`memberOf`.
#### Added reverse group lookup to LDAPCredentialsValidator
Added `populateMemberOfFromGroupSearch()` method that performs a reverse
LDAP search (e.g., `(uniqueMember=<userDN>)`) against the configured group base
DN. The method:
- Uses `setReturningAttributes(new String[]{"1.1"})` to request only the DN,
minimizing response size.
- Escapes the user DN with `encodeForLDAP(userDn, true)` to prevent LDAP
filter injection.
- Catches `NamingException` internally and logs an error, so a misconfigured
group search does not block user authentication — the user proceeds without
group memberships.
#### Added group search configuration to BasicAuthLDAPConfig
Added two optional fields (`groupBaseDn`, `groupSearch`) with a
backward-compatible constructor that delegates to the new constructor with
`null` defaults. Added `isGroupSearchConfigured()` convenience method.
#### Added helper methods for readability
- `hasMemberOfAttribute(SearchResult)`: checks if `memberOf` is present on
the search result.
- `isGroupSearchConfigured()`: checks if both group search properties are
set.
#### Added embedded integration test for reverse group lookup
- `LdapReverseGroupLookupAuthResource`: Extends `LdapAuthResource` to add
`groupBaseDn` and `groupSearch` properties to the LDAP credentials validator
configuration.
- `BasicAuthLdapReverseGroupLookupTest`: Extends
`BasicAuthLdapConfigurationTest` to run the full LDAP auth test suite with
reverse group lookup enabled. Verifies that group-based authorization works on
OpenLDAP (which does not return `memberOf` by default).
#### Updated documentation
- `docs/development/extensions-core/druid-basic-security.md`: Added property
reference entries for `groupBaseDn` and `groupSearch`.
- `docs/operations/auth-ldap.md`: Added "Group search reverse lookup
configuration" section explaining the problem and configuration. Updated the
existing info box to reference both manual role mapping and the new reverse
lookup as alternatives.
#### Updated spellcheck dictionary
- `website/.spelling`: Added `DN` and `JNDI` to the global dictionary to fix
5 spellcheck errors in the new documentation.
#### Release note
Added support for LDAP group-based authorization on servers that do not
return the `memberOf` attribute (e.g., OpenLDAP). Configure `groupBaseDn` and
`groupSearch` on the LDAP credentials validator to enable a reverse group
lookup that resolves group memberships automatically.
<hr>
##### Key changed/added classes in this PR
* `BasicAuthLDAPConfig`
* `LDAPCredentialsValidator`
* `LDAPCredentialsValidatorTest`
* `LdapReverseGroupLookupAuthResource`
* `BasicAuthLdapReverseGroupLookupTest`
<hr>
This PR has:
- [x] been self-reviewed.
- [x] added documentation for new or modified features or behaviors.
- [x] a release note entry in the PR description.
- [x] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [x] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for code coverage is met.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
