Avoid executing ldap queries for validating password

Previously we were trying to represent most of the operations via executeLdapSearch - so when we try to validatePassword, we login to the system and execute a query matching the user and query filter was on username. In case of OpenLDAP - the userName or distinguished name is of this format - uid=abc,...- which has an `=` and it is being treated as an equals filter condition when the filter expression is being parsed. While for AD the distinguished name is of this format abc@domain (if user is mapped based on UPN aka Unique Principal Name) not it is not a valid filter criteria, so we are not able to perform the validation.
trinodb · May 11, 2022 · e2fe654 · e2fe654
1 parent 52e7e81
commit e2fe654
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/ldap/JdkLdapClient.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/ldap/JdkLdapClient.java
@@ -84,6 +84,15 @@ public JdkLdapClient(LdapClientConfig ldapConfig)
                 ldapConfig.getTruststorePassword());
     }
 
+    @Override
+    public <T> T processLdapContext(String userName, String password, LdapContextProcessor<T> contextProcessor)
+            throws NamingException
+    {
+        try (CloseableContext context = createUserDirContext(userName, password)) {
+            return contextProcessor.process(context.context);
+        }
+    }
+
     @Override
     public <T> T executeLdapQuery(String userName, String password, LdapQuery ldapQuery, LdapSearchResultProcessor<T> resultProcessor)
             throws NamingException

diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/ldap/LdapClient.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/ldap/LdapClient.java
@@ -15,10 +15,14 @@
 
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchResult;
 
 public interface LdapClient
 {
+    <T> T processLdapContext(String userName, String password, LdapContextProcessor<T> contextProcessor)
+            throws NamingException;
+
     <T> T executeLdapQuery(String userName, String password, LdapQuery ldapQuery, LdapSearchResultProcessor<T> resultProcessor)
             throws NamingException;
 
@@ -27,4 +31,10 @@ interface LdapSearchResultProcessor<T>
         T process(NamingEnumeration<SearchResult> searchResults)
                 throws NamingException;
     }
+
+    interface LdapContextProcessor<T>
+    {
+        T process(DirContext dirContext)
+                throws NamingException;
+    }
 }
diff --git a/...d-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapAuthenticatorClient.java b/...d-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapAuthenticatorClient.java
@@ -38,14 +38,7 @@ public LdapAuthenticatorClient(LdapClient ldapClient)
     public void validatePassword(String userDistinguishedName, String password)
             throws NamingException
     {
-        ldapClient.executeLdapQuery(
-                userDistinguishedName,
-                password,
-                new LdapQuery.LdapQueryBuilder()
-                        .withSearchBase(userDistinguishedName)
-                        .withSearchFilter(userDistinguishedName)
-                        .build(),
-                searchResults -> null);
+        ldapClient.processLdapContext(userDistinguishedName, password, context -> null);
     }
 
     public boolean isGroupMember(String searchBase, String groupSearch, String contextUserDistinguishedName, String contextPassword)