From 880cb9ab84bd285702e29a9dab7169953dba0ef8 Mon Sep 17 00:00:00 2001
From: Ivan Orekhov <i.a.orekhov@gmail.com>
Date: Mon, 9 Feb 2026 12:23:02 +0300
Subject: [PATCH 1/5] fix: 1st version of ldaps docs

---
 .../admin-manual/auth/authentication/ldap.md      | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
index 464e5c9b52fcd..15c83ae59d8de 100644
--- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
+++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
@@ -49,13 +49,22 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ```
     ldap_authentication_enabled = true
     ldap_host = ladp-host
-    ldap_port = 389
+    ldap_port = 389 # change it if ldap_use_ssl specified to true as different port (636) is used for LDAPS
     ldap_admin_name = uid=admin,o=emr
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
+    ldap_use_ssl = true # specify true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
     ```
 
+> Important for LDAPS:
+> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM.
+> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file):
+> ```
+> # Example for JDK 17
+> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..."
+> ```
+
 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password:
 
     ```sql
@@ -250,7 +259,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP](
 
 ## Known Limitations
 
-- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service.
+- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally.
+-   **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server.
+-   **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately.
 
 ## FAQ
 

From 794e6a0076a12944103ea20d8433bda43096910c Mon Sep 17 00:00:00 2001
From: Ivan Orekhov <i.a.orekhov@gmail.com>
Date: Mon, 9 Feb 2026 12:30:10 +0300
Subject: [PATCH 2/5] fix: improved version of ldaps docs

---
 .../admin-manual/auth/authentication/ldap.md         | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
index 15c83ae59d8de..06692107ceb1a 100644
--- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
+++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
@@ -49,17 +49,23 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ```
     ldap_authentication_enabled = true
     ldap_host = ladp-host
-    ldap_port = 389 # change it if ldap_use_ssl specified to true as different port (636) is used for LDAPS
+    # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS
+    ldap_port = 389 
     ldap_admin_name = uid=admin,o=emr
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
-    ldap_use_ssl = true # specify true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    # specify ldap_use_ssl to true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    ldap_use_ssl = true 
     ```
 
 > Important for LDAPS:
+>
 > When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM.
-> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file):
+>
+> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. 
+> 
+> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file):
 > ```
 > # Example for JDK 17
 > JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..."

From 135da3bd09075a95f81c021ff05e85f899adf864 Mon Sep 17 00:00:00 2001
From: Ivan Orekhov <i.a.orekhov@gmail.com>
Date: Mon, 9 Feb 2026 12:39:17 +0300
Subject: [PATCH 3/5] fix: final version of DORIS documentation

---
 docs/admin-manual/auth/authentication/ldap.md | 21 +++++++++++++++++--
 .../admin-manual/auth/authentication/ldap.md  | 21 +++++++++++++++++--
 .../admin-manual/auth/authentication/ldap.md  |  2 +-
 3 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md
index 464e5c9b52fcd..9a05239d10abd 100644
--- a/docs/admin-manual/auth/authentication/ldap.md
+++ b/docs/admin-manual/auth/authentication/ldap.md
@@ -49,13 +49,28 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ```
     ldap_authentication_enabled = true
     ldap_host = ladp-host
-    ldap_port = 389
+    # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS
+    ldap_port = 389 
     ldap_admin_name = uid=admin,o=emr
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
+    # specify ldap_use_ssl to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    ldap_use_ssl = true 
     ```
 
+> Important for LDAPS:
+>
+> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM.
+>
+> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. 
+> 
+> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file):
+> ```
+> # Example for JDK 17
+> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..."
+> ```
+
 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password:
 
     ```sql
@@ -250,7 +265,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP](
 
 ## Known Limitations
 
-- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service.
+- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally.
+-   **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server.
+-   **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately.
 
 ## FAQ
 
diff --git a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md
index 464e5c9b52fcd..fdcf429b3bf6e 100644
--- a/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md
+++ b/versioned_docs/version-3.x/admin-manual/auth/authentication/ldap.md
@@ -49,13 +49,28 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ```
     ldap_authentication_enabled = true
     ldap_host = ladp-host
-    ldap_port = 389
+    # change ldap_port value if ldap_use_ssl specified to true as different port (636) is used for LDAPS
+    ldap_port = 389 
     ldap_admin_name = uid=admin,o=emr
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
+    # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    ldap_use_ssl = true 
     ```
 
+> Important for LDAPS:
+>
+> When `ldap_use_ssl = true`, ensure your LDAP server certificate is trusted by the Doris FE JVM.
+>
+> If using a custom or self-signed Certificate Authority (CA), you must configure the Java trustStore. 
+> 
+> Add the following parameters to JAVA_OPTS in `fe/conf/fe.conf` (adjust the path to your cacerts file):
+> ```
+> # Example for JDK 17
+> JAVA_OPTS_FOR_JDK_17 = "-Djavax.net.ssl.trustStore=/path/to/your/cacerts -Djavax.net.ssl.trustStorePassword=changeit ..."
+> ```
+
 3. After starting `fe`, log in to Doris with `root` or `admin` account and set the LDAP admin password:
 
     ```sql
@@ -250,7 +265,9 @@ You can refresh the cache with the `refresh ldap` statement. See [REFRESH-LDAP](
 
 ## Known Limitations
 
-- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, and between `fe` and LDAP service.
+- Currently, Doris's LDAP functionality only supports cleartext password verification, meaning that when users log in, passwords are transmitted in plaintext between `client` and `fe`, but connection between `fe` and LDAP service can be secured optionally.
+-   **For `ldap_use_ssl = false` (default behavior)**: Passwords are transmitted in plain text between the Doris FE and the LDAP server.
+-   **To secure the connection**: Set `ldap_use_ssl = true` to encrypt traffic between Doris FE and the LDAP server. Note that SSL/TLS encryption between the **client and Doris FE** must be configured separately.
 
 ## FAQ
 
diff --git a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
index 06692107ceb1a..fdcf429b3bf6e 100644
--- a/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
+++ b/versioned_docs/version-4.x/admin-manual/auth/authentication/ldap.md
@@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
-    # specify ldap_use_ssl to true to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    # specify ldap_use_ssl to true to use to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
     ldap_use_ssl = true 
     ```
 

From 330c4bd2aad46df51ab3c9dda80118087d6871a3 Mon Sep 17 00:00:00 2001
From: Ivan Orekhov <i.a.orekhov@gmail.com>
Date: Mon, 16 Feb 2026 12:22:22 +0300
Subject: [PATCH 4/5] fix: fixed typo within description of ldap_use_ssl

---
 docs/admin-manual/auth/authentication/ldap.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md
index 9a05239d10abd..99067ea5b1a3c 100644
--- a/docs/admin-manual/auth/authentication/ldap.md
+++ b/docs/admin-manual/auth/authentication/ldap.md
@@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
-    # specify ldap_use_ssl to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    # specify ldap_use_sslto true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
     ldap_use_ssl = true 
     ```
 

From 5f0035ef7f1e82881539d396e6d940f5ca949f10 Mon Sep 17 00:00:00 2001
From: Ivan Orekhov <i.a.orekhov@gmail.com>
Date: Mon, 16 Feb 2026 12:28:15 +0300
Subject: [PATCH 5/5] fix: typo on ldap_use_ssl description

---
 docs/admin-manual/auth/authentication/ldap.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/admin-manual/auth/authentication/ldap.md b/docs/admin-manual/auth/authentication/ldap.md
index 99067ea5b1a3c..9486166340b2b 100644
--- a/docs/admin-manual/auth/authentication/ldap.md
+++ b/docs/admin-manual/auth/authentication/ldap.md
@@ -55,7 +55,7 @@ In LDAP, data is organized in a tree structure. Here's an example of a typical L
     ldap_user_basedn = ou=people,o=emr
     ldap_user_filter = (&(uid={login}))
     ldap_group_basedn = ou=group,o=emr
-    # specify ldap_use_sslto true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
+    # specify ldap_use_ssl to true to use to switch to secured LDAPS protocol, specify false or comment property to use default behavior with plain LDAP
     ldap_use_ssl = true 
     ```