[#4421] [YCQL] Disallow Unauthenticated LDAP binding + add handling f…

…or ycql_ldap_search_filter Summary: LDAP protocol has an "Unauthenticated" bind mechanism which allows successful bind with a non-empty username but empty password. As per https://datatracker.ietf.org/doc/html/rfc4513#section-6.3.1, clients and servers, both, should steer clear of this bind mechanism. For this, a check has been added to error out on empty passwords. Another fix in this diff is that the handling and tests for ycql_ldap_search_filter were missing. They have been added now. Test Plan: Jenkins: urgent ./yb_build.sh --java-test org.yb.cql.TestLDAPAuth Reviewers: dmitry, alan, mihnea Reviewed By: alan, mihnea Subscribers: yql Differential Revision: https://phabricator.dev.yugabyte.com/D13197
yugabyte · Sep 27, 2021 · 08ad5c8 · 08ad5c8
1 parent a1d5c99
commit 08ad5c8
Show file tree

Hide file tree

Showing 6 changed files with 291 additions and 36 deletions.
diff --git a/docs/content/latest/secure/enable-authentication/ycql.md b/docs/content/latest/secure/enable-authentication/ycql.md
@@ -273,7 +273,7 @@ Connecting to the cluster with the default password would no longer work:
 ```
 $ bin/ycqlsh -u cassandra -p cassandra
 Connection error:
-  ... Provided username cassandra and/or password are incorrect ...
+  ... Provided username 'cassandra' and/or password are incorrect ...
 ```
 
 You can now connect to the cluster using the new password:

diff --git a/docs/content/stable/secure/enable-authentication/ycql.md b/docs/content/stable/secure/enable-authentication/ycql.md
@@ -273,7 +273,7 @@ Connecting to the cluster with the default password would no longer work:
 ```
 $ bin/ycqlsh -u cassandra -p cassandra
 Connection error:
-  ... Provided username cassandra and/or password are incorrect ...
+  ... Provided username 'cassandra' and/or password are incorrect ...
 ```
 
 You can now connect to the cluster using the new password:

diff --git a/java/yb-cql/src/test/java/org/yb/cql/TestAudit.java b/java/yb-cql/src/test/java/org/yb/cql/TestAudit.java
@@ -111,7 +111,7 @@ public void auth() throws Exception {
       assertAudit(
           new AuditLogEntry('E', "null", "LOGIN_ERROR", "AUTH",
               null /* batchId */, null /* keyspace */, null /* scope */,
-              "LOGIN FAILURE; Provided username user1 and/or password are incorrect"));
+              "LOGIN FAILURE; Provided username 'user1' and/or password are incorrect"));
     } catch (Exception ex) {
       throw ex;
     }