[enhance](auth) introduction of ldaps support via configuration property

[iaorekhov-1980]

What problem does this PR solve?

This PR adds new configuration property ldap_use_ssl to enable usage of LDAPS to establish connection to LDAP instance.
If ldap_use_ssl in ldap.conf is specified as true - LDAPS is used to create connection string.
If ldap_use_ssl in ldap.conf is not specified or specified as false - LDAP is used to create connection string as now.

Could you please include this PR into 4.x and 3.1.x branches, please!

Issue Number: close #60236

Related PR: #xxx

Problem Summary:

Currently it is not possible to use LDAPS to create connection to secured LDAP instances.
New configuration property allows to connect to such instances, but default behavior still relies on LDAP as is.

Release note

None

Check List (For Author)

• Test

  • Regression test
  • Unit Test
  • Manual test (add detailed scripts or steps below)
  • No need to test or manual test. Explain why:
    • This is a refactor/code format and no logic has been changed.
    • Previous test can cover this change.
    • No code files have been changed.
    • Other reason

• Behavior changed:

  • No.
  • Yes.

1. ldap.conf and LdapConfig.java - new configuration ldap_use_ssl property added and static method to get actual URL connection string (this method was mostly introduced to support unit testing)
2. LdapClient.java - replaced explicit generation of URL connection string with call to new method in LDAP config
3. LdapClientTest.java - introduced new test method to validate existing behavior (without specified ldap_use_ssl property) and new one (with ldap_use_ssl property specified to true) to generate correct connection strings.

• Does this need documentation?
  • No.
  • Yes.

Check List (For Reviewer who merge this PR)

• Confirm the release note
• Confirm test cases
• Confirm document
• Add branch pick label

[Thearas]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[iaorekhov-1980]

run buildall

[iaorekhov-1980]

run buildall

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[hello-stephen]

FE UT Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 33048 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 3974e9f14b99a306b890e8c7962e57d2e06752c9, data reload: false

------ Round 1 ----------------------------------
q1	17633	5234	5034	5034
q2	2023	332	196	196
q3	10203	1317	753	753
q4	10222	855	320	320
q5	7515	2162	1920	1920
q6	197	179	149	149
q7	900	765	594	594
q8	9257	1395	1180	1180
q9	5206	4843	4858	4843
q10	6741	1945	1564	1564
q11	527	285	271	271
q12	337	382	231	231
q13	17770	4065	3242	3242
q14	231	237	227	227
q15	878	834	807	807
q16	682	728	632	632
q17	639	770	482	482
q18	6898	6538	7539	6538
q19	1137	1026	676	676
q20	433	382	238	238
q21	2842	2473	2057	2057
q22	1128	1094	1146	1094
Total cold run time: 103399 ms
Total hot run time: 33048 ms

----- Round 2, with runtime_filter_mode=off -----
q1	5528	5484	5452	5452
q2	262	340	279	279
q3	2351	2900	2537	2537
q4	1451	1918	1468	1468
q5	5117	4452	4656	4452
q6	233	189	137	137
q7	2032	1943	1855	1855
q8	2656	2493	2360	2360
q9	7521	7571	7353	7353
q10	2881	3178	2656	2656
q11	549	477	453	453
q12	680	762	635	635
q13	3875	4192	3188	3188
q14	273	306	262	262
q15	843	789	788	788
q16	624	701	630	630
q17	1085	1273	1298	1273
q18	7791	7415	7336	7336
q19	825	790	807	790
q20	1948	2053	1908	1908
q21	4486	4160	4055	4055
q22	1046	1014	962	962
Total cold run time: 54057 ms
Total hot run time: 50829 ms

[doris-robot]

ClickBench: Total hot run time: 28.47 s

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 3974e9f14b99a306b890e8c7962e57d2e06752c9, data reload: false

query1	0.05	0.05	0.05
query2	0.10	0.05	0.05
query3	0.25	0.08	0.08
query4	1.61	0.11	0.11
query5	0.27	0.25	0.25
query6	1.16	0.69	0.67
query7	0.03	0.03	0.02
query8	0.05	0.03	0.03
query9	0.56	0.50	0.50
query10	0.56	0.54	0.54
query11	0.13	0.09	0.10
query12	0.14	0.10	0.10
query13	0.63	0.61	0.61
query14	1.05	1.07	1.06
query15	0.87	0.87	0.86
query16	0.41	0.40	0.41
query17	1.09	1.14	1.13
query18	0.23	0.21	0.22
query19	2.07	1.95	2.02
query20	0.02	0.02	0.02
query21	15.41	0.25	0.15
query22	5.31	0.06	0.05
query23	16.13	0.27	0.10
query24	1.52	0.34	0.39
query25	0.10	0.06	0.06
query26	0.15	0.14	0.14
query27	0.07	0.05	0.06
query28	3.55	1.14	0.96
query29	12.56	3.96	3.19
query30	0.28	0.13	0.15
query31	2.82	0.62	0.40
query32	3.23	0.59	0.49
query33	3.26	3.33	3.25
query34	16.36	5.40	4.78
query35	4.80	4.78	4.80
query36	0.64	0.50	0.49
query37	0.12	0.07	0.07
query38	0.08	0.04	0.04
query39	0.04	0.02	0.02
query40	0.18	0.16	0.16
query41	0.09	0.04	0.03
query42	0.04	0.03	0.03
query43	0.05	0.03	0.03
Total cold run time: 98.07 s
Total hot run time: 28.47 s

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run buildall

[iaorekhov-1980]

run p0

[doris-robot]

TPC-H: Total hot run time: 32785 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 3974e9f14b99a306b890e8c7962e57d2e06752c9, data reload: false

------ Round 1 ----------------------------------
q1	17639	5218	5047	5047
q2	2046	306	189	189
q3	10191	1357	761	761
q4	10225	907	341	341
q5	7561	2164	1959	1959
q6	197	181	150	150
q7	899	742	602	602
q8	9276	1494	1178	1178
q9	5212	4804	4832	4804
q10	6777	1966	1579	1579
q11	526	308	274	274
q12	341	381	229	229
q13	17766	4063	3289	3289
q14	265	237	212	212
q15	899	822	817	817
q16	686	677	608	608
q17	639	848	419	419
q18	6725	6593	6578	6578
q19	1284	980	614	614
q20	414	347	232	232
q21	2745	2123	1932	1932
q22	1024	1058	971	971
Total cold run time: 103337 ms
Total hot run time: 32785 ms

----- Round 2, with runtime_filter_mode=off -----
q1	5259	5260	5210	5210
q2	256	327	262	262
q3	2259	2729	2312	2312
q4	1413	1827	1348	1348
q5	4240	4190	4632	4190
q6	248	201	156	156
q7	2203	2016	1882	1882
q8	2691	2415	2416	2415
q9	7570	7563	7505	7505
q10	2884	2976	2555	2555
q11	532	473	467	467
q12	698	746	647	647
q13	4224	4256	3637	3637
q14	315	318	294	294
q15	915	854	825	825
q16	673	705	675	675
q17	1198	1385	1466	1385
q18	8146	7875	7875	7875
q19	868	865	859	859
q20	2106	2240	1939	1939
q21	4571	4262	4103	4103
q22	1082	1015	986	986
Total cold run time: 54351 ms
Total hot run time: 51527 ms

[doris-robot]

ClickBench: Total hot run time: 28.41 s

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 3974e9f14b99a306b890e8c7962e57d2e06752c9, data reload: false

query1	0.05	0.06	0.05
query2	0.10	0.04	0.05
query3	0.26	0.08	0.09
query4	1.60	0.12	0.11
query5	0.28	0.25	0.25
query6	1.16	0.67	0.67
query7	0.03	0.03	0.02
query8	0.05	0.04	0.04
query9	0.56	0.50	0.50
query10	0.54	0.55	0.54
query11	0.15	0.09	0.10
query12	0.13	0.10	0.10
query13	0.62	0.62	0.61
query14	1.08	1.05	1.07
query15	0.88	0.86	0.87
query16	0.42	0.38	0.40
query17	1.08	1.14	1.14
query18	0.22	0.20	0.20
query19	2.10	1.99	2.05
query20	0.02	0.01	0.02
query21	15.41	0.25	0.14
query22	5.52	0.05	0.05
query23	16.27	0.28	0.10
query24	1.42	1.00	0.41
query25	0.11	0.06	0.09
query26	0.14	0.13	0.13
query27	0.11	0.06	0.04
query28	4.40	1.14	0.97
query29	12.54	3.90	3.17
query30	0.26	0.13	0.12
query31	2.82	0.64	0.41
query32	3.24	0.59	0.50
query33	3.34	3.23	3.35
query34	16.21	5.37	4.71
query35	4.76	4.76	4.78
query36	0.65	0.51	0.50
query37	0.10	0.06	0.06
query38	0.07	0.05	0.04
query39	0.05	0.04	0.03
query40	0.20	0.16	0.15
query41	0.09	0.04	0.03
query42	0.05	0.03	0.03
query43	0.05	0.04	0.04
Total cold run time: 99.14 s
Total hot run time: 28.41 s

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run cloud_p0

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run p0

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run nonConcurrent

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run p0

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run p0

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

Hi, this PR is ready for review. All CI checks have passed. Looking forward to your feedback.

[Copilot]

Pull request overview

This PR introduces support for LDAPS (LDAP over SSL) by adding a new configuration property ldap_use_ssl to enable secure connections to LDAP servers. When enabled, the connection URL uses the "ldaps://" protocol instead of "ldap://", maintaining backward compatibility with the default value of false.

Changes:

• Added ldap_use_ssl configuration property with default value false to maintain backward compatibility
• Extracted URL connection string construction logic into a new static method getConnectionURL() in LdapConfig to support both LDAP and LDAPS protocols
• Updated both LDAP connection creation points in LdapClient to use the new method instead of hardcoded "ldap://" protocol

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
conf/ldap.conf	Added documentation for the new ldap_use_ssl configuration property
fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java	Added ldap_use_ssl property and getConnectionURL() method to dynamically construct connection URLs
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java	Replaced hardcoded "ldap://" URLs with calls to LdapConfig.getConnectionURL() in both pooled and non-pooled connection methods
fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java	Added unit test to verify correct URL generation for both LDAP and LDAPS protocols, with proper cleanup

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 31275 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 89ad517796e64d2835b7e4ba9f7d4c84b141d428, data reload: false

------ Round 1 ----------------------------------
q1	17627	4389	4298	4298
q2	2033	339	254	254
q3	10113	1281	731	731
q4	10212	852	313	313
q5	7523	2208	1861	1861
q6	193	179	146	146
q7	911	721	573	573
q8	9267	1382	1013	1013
q9	5187	4834	4965	4834
q10	6843	1976	1553	1553
q11	530	303	289	289
q12	391	371	226	226
q13	17789	4026	3199	3199
q14	251	251	220	220
q15	870	796	805	796
q16	673	673	628	628
q17	643	751	555	555
q18	6854	6614	7276	6614
q19	1299	1031	647	647
q20	409	370	247	247
q21	2971	2637	1981	1981
q22	370	329	297	297
Total cold run time: 102959 ms
Total hot run time: 31275 ms

----- Round 2, with runtime_filter_mode=off -----
q1	4627	4635	4613	4613
q2	283	355	254	254
q3	2361	2892	2547	2547
q4	1475	1868	1468	1468
q5	4828	4505	4849	4505
q6	223	180	139	139
q7	1969	1900	1780	1780
q8	2600	2455	2355	2355
q9	7474	7668	7411	7411
q10	2782	2970	2553	2553
q11	544	474	449	449
q12	676	670	544	544
q13	3497	4028	3216	3216
q14	273	279	261	261
q15	824	777	779	777
q16	650	687	632	632
q17	1097	1260	1329	1260
q18	7536	7302	7415	7302
q19	835	790	796	790
q20	1959	2020	1857	1857
q21	4564	4347	4034	4034
q22	588	527	530	527
Total cold run time: 51665 ms
Total hot run time: 49274 ms

[doris-robot]

ClickBench: Total hot run time: 28.41 s

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 89ad517796e64d2835b7e4ba9f7d4c84b141d428, data reload: false

query1	0.05	0.05	0.05
query2	0.10	0.04	0.04
query3	0.26	0.08	0.09
query4	1.61	0.12	0.11
query5	0.26	0.25	0.25
query6	1.18	0.68	0.67
query7	0.03	0.03	0.03
query8	0.05	0.04	0.04
query9	0.56	0.48	0.49
query10	0.54	0.55	0.55
query11	0.15	0.10	0.09
query12	0.15	0.11	0.10
query13	0.65	0.61	0.62
query14	1.07	1.07	1.06
query15	0.88	0.88	0.86
query16	0.39	0.39	0.40
query17	1.11	1.14	1.12
query18	0.24	0.22	0.22
query19	2.09	2.01	2.00
query20	0.02	0.01	0.01
query21	15.40	0.26	0.14
query22	5.11	0.06	0.05
query23	15.70	0.29	0.10
query24	1.50	1.16	0.18
query25	0.08	0.08	0.07
query26	0.15	0.14	0.14
query27	0.07	0.09	0.08
query28	4.76	1.16	0.96
query29	12.57	4.04	3.21
query30	0.28	0.13	0.12
query31	2.81	0.67	0.41
query32	3.24	0.60	0.50
query33	3.32	3.24	3.24
query34	15.94	5.47	4.73
query35	4.84	4.85	4.85
query36	0.65	0.50	0.49
query37	0.11	0.06	0.06
query38	0.08	0.04	0.04
query39	0.05	0.03	0.03
query40	0.20	0.17	0.15
query41	0.09	0.04	0.04
query42	0.05	0.03	0.03
query43	0.05	0.04	0.03
Total cold run time: 98.44 s
Total hot run time: 28.41 s

[hello-stephen]

FE UT Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run p0

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/4) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

Hello, @morningman
I've addressed Copilot's comments and greenlit the CI. PR is ready for another look!

[gavinchou]

where to load/find certificate and CA when ldaps is enabled?

[gavinchou]

pls also update the corresponding docs

[iaorekhov-1980]

Hi. @gavinchou
The information about certificates location is provided within JVM arguments in fe.conf in standard parameter, like below

# For jdk 17, this JAVA_OPTS will be used as default JVM options
JAVA_OPTS_FOR_JDK_17="-Djavax.net.ssl.trustStore=/opt/apache-doris/certs/cacerts -Dfile.encoding=UTF-8 -Djavax.security.auth.useSubjectCredsOnly=false -Xmx8192m -Xms2048m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$LOG_DIR -Xlog:gc
*,classhisto*=trace:$LOG_DIR/fe.gc.log.$CUR_DATE:time,uptime:filecount=10,filesize=50M --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens java.base/jdk.internal.ref=ALL-UNNAMED"

Also could you please confirm the documentation to be changed.
https://github.com/apache/doris-website/blob/master/docs/admin-manual/auth/authentication/ldap.md
I assume this file should be updated with new information about support of LDAPS?

[iaorekhov-1980]

Hi, @gavinchou
I've update corresponding docs in apache/doris-website#3351
Could you please take a look?

[iaorekhov-1980]

Hi, @gavinchou
Could you please continue review of this PR?

[iaorekhov-1980]

Hello, @gavinchou
Could you please return to my PR as all comments have been solved