feat: Add reverse group lookup for LDAP servers that do not return memberOf

Author: JWuCines

extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java

@@ -206,6 +206,10 @@ public AuthenticationResult validateCredentials(
         throw new BasicSecurityAuthenticationException(Access.DEFAULT_ERROR_MESSAGE);
       }
 
+      if (this.ldapConfig.isGroupSearchConfigured() && !hasMemberOfAttribute(userResult)) {
+        enrichWithGroupSearch(userResult);
+      }
+
       byte[] salt = BasicAuthUtils.generateSalt();
       byte[] hash = hashGenerator.getOrComputePasswordHash(password, salt, this.ldapConfig.getCredentialIterations());
       LdapUserPrincipal newPrincipal = new LdapUserPrincipal(
@@ -253,14 +257,6 @@ SearchResult getLdapUserObject(BasicAuthLDAPConfig ldapConfig, DirContext contex
       finally {
         results.close();
       }
-
-      // Some LDAP servers do not return memberOf in search results. When memberOf is
-      // absent and group search configuration is provided, fall back to a reverse
-      // group lookup.
-      if (ldapConfig.isGroupSearchConfigured() && !hasMemberOfAttribute(userResult)) {
-        populateMemberOfFromGroupSearch(ldapConfig, context, userResult);
-      }
-
       return userResult;
     }
     catch (NamingException e) {
@@ -276,47 +272,41 @@ private static boolean hasMemberOfAttribute(SearchResult userResult)
   }
 
   @SuppressWarnings("BanJNDI")
-  private void populateMemberOfFromGroupSearch(
-      BasicAuthLDAPConfig ldapConfig,
-      DirContext context,
-      SearchResult userResult
-  )
+  private void enrichWithGroupSearch(SearchResult userResult)
   {
+    final ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
+    InitialDirContext dirContext = null;
     try {
+      Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
+      dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
+
       final String userDn = userResult.getNameInNamespace();
       final SearchControls sc = new SearchControls();
       sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-      // Request only the DN by returning a minimal attribute. The group DN is
-      // obtained via getNameInNamespace() and does not depend on any returned attribute.
       sc.setReturningAttributes(new String[]{"1.1"});
 
-      final String filter = StringUtils.format(ldapConfig.getGroupSearch(), encodeForLDAP(userDn, true));
-      final NamingEnumeration<SearchResult> groupResults = context.search(
-          ldapConfig.getGroupBaseDn(),
+      final String filter = StringUtils.format(this.ldapConfig.getGroupSearch(), encodeForLDAP(userDn, true));
+      final NamingEnumeration<SearchResult> groupResults = dirContext.search(
+          this.ldapConfig.getGroupBaseDn(),
           filter,
           sc
       );
 
       final BasicAttribute memberOfAttr = new BasicAttribute("memberOf");
       try {
         while (groupResults.hasMore()) {
-          final SearchResult groupResult = groupResults.next();
-          final String groupDn = groupResult.getNameInNamespace();
-          memberOfAttr.add(groupDn);
+          memberOfAttr.add(groupResults.next().getNameInNamespace());
         }
       }
       finally {
         groupResults.close();
       }
 
       if (memberOfAttr.size() > 0) {
-        if (userResult.getAttributes() != null) {
-          userResult.getAttributes().put(memberOfAttr);
-        } else {
-          final BasicAttributes attrs = new BasicAttributes(true);
-          attrs.put(memberOfAttr);
-          userResult.setAttributes(attrs);
+        if (userResult.getAttributes() == null) {
+          userResult.setAttributes(new BasicAttributes(true));
         }
+        userResult.getAttributes().put(memberOfAttr);
         LOG.debug(
             "Populated memberOf for user '%s' with %d groups from reverse group search",
             userDn,
@@ -327,6 +317,18 @@ private void populateMemberOfFromGroupSearch(
     catch (NamingException e) {
       LOG.error(e, "Exception during reverse group lookup, proceeding without group memberships");
     }
+    finally {
+      try {
+        if (dirContext != null) {
+          dirContext.close();
+        }
+      }
+      catch (Exception ignored) {
+        LOG.warn("Exception closing LDAP context");
+        // ignored
+      }
+      Thread.currentThread().setContextClassLoader(currentClassLoader);
+    }
   }
 
   boolean validatePassword(BasicAuthLDAPConfig ldapConfig, LdapName userDn, char[] password)

extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java

@@ -171,7 +171,6 @@ public Context getInitialContext(Hashtable<?, ?> environment) throws NamingExcep
               ArgumentMatchers.any(SearchControls.class))
       ).thenReturn(makeNamingEnum(userResults));
 
-      // Group search results
       final SearchResult group1 = new SearchResult("cn=admins,ou=Groups,dc=example,dc=org", null, new BasicAttributes(true));
       group1.setNameInNamespace("cn=admins,ou=Groups,dc=example,dc=org");
       final SearchResult group2 = new SearchResult("cn=developers,ou=Groups,dc=example,dc=org", null, new BasicAttributes(true));