[Fix-17797][Helm] fix broken LDAP auth and missing search filter (#17802)

docherak · web-flow · commit 4d72bc462491 · 2025-12-22T10:31:45.000+08:00
diff --git a/deploy/kubernetes/dolphinscheduler/README.md b/deploy/kubernetes/dolphinscheduler/README.md
@@ -306,8 +306,9 @@ Please refer to the [Quick Start in Kubernetes](../../../docs/docs/en/guide/inst
 | security.authentication.ldap.ssl.jksbase64content | string | `""` | LDAP jks file base64 content. If you use macOS, please run `base64 -b 0 -i /path/to/your.jks`. If you use Linux, please run `base64 -w 0 /path/to/your.jks`. If you use Windows, please run `certutil -f -encode /path/to/your.jks`. Then copy the base64 content to below field in one line |
 | security.authentication.ldap.ssl.truststore | string | `"/opt/ldapkeystore.jks"` | LDAP jks file absolute path, do not change this value |
 | security.authentication.ldap.ssl.truststorepassword | string | `""` | LDAP jks password |
-| security.authentication.ldap.urls | string | `"ldap://ldap.forumsys.com:389/"` | LDAP urls |
-| security.authentication.ldap.user.admin | string | `"read-only-admin"` | Admin user account when you log-in with LDAP |
+| security.authentication.ldap.url | string | `"ldap://ldap.forumsys.com:389/"` | LDAP url |
+| security.authentication.ldap.user.adminuserfilter | string | `"(&(uid={0})(memberOf=cn=admin-group,ou=apps,dc=example,dc=com))"` | Any user matching this filter becomes an Admin. If set to `""`, ignore this option |
+| security.authentication.ldap.user.adminusername | string | `"read-only-admin"` | Admin user account when you log-in with LDAP. If the filter doesn't match anything this also acts as fallback. Set to `""` to ignore this option if you want to use filter only |
 | security.authentication.ldap.user.emailattribute | string | `"mail"` | LDAP user email attribute |
 | security.authentication.ldap.user.identityattribute | string | `"uid"` | LDAP user identity attribute |
 | security.authentication.ldap.user.notexistaction | string | `"CREATE"` | action when ldap user is not exist,default value: CREATE. Optional values include(CREATE,DENY) |
diff --git a/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl b/deploy/kubernetes/dolphinscheduler/templates/_helpers.tpl
@@ -195,16 +195,18 @@ Create a security environment variables.
 - name: SECURITY_AUTHENTICATION_TYPE
   value: {{ .Values.security.authentication.type | quote }}
 {{- if eq .Values.security.authentication.type "LDAP" }}
-- name: SECURITY_AUTHENTICATION_LDAP_URLS
-  value: {{ .Values.security.authentication.ldap.urls | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_URL
+  value: {{ .Values.security.authentication.ldap.url | quote }}
 - name: SECURITY_AUTHENTICATION_LDAP_BASE_DN
   value: {{ .Values.security.authentication.ldap.basedn | quote }}
 - name: SECURITY_AUTHENTICATION_LDAP_USERNAME
   value: {{ .Values.security.authentication.ldap.username | quote }}
 - name: SECURITY_AUTHENTICATION_LDAP_PASSWORD
   value: {{ .Values.security.authentication.ldap.password | quote }}
-- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN
-  value: {{ .Values.security.authentication.ldap.user.admin | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USERNAME
+  value: {{ .Values.security.authentication.ldap.user.adminusername | quote }}
+- name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USER_FILTER
+  value: {{ .Values.security.authentication.ldap.user.adminuserfilter | quote }}
 - name: SECURITY_AUTHENTICATION_LDAP_USER_IDENTITY_ATTRIBUTE
   value: {{ .Values.security.authentication.ldap.user.identityattribute | quote }}
 - name: SECURITY_AUTHENTICATION_LDAP_USER_EMAIL_ATTRIBUTE
diff --git a/deploy/kubernetes/dolphinscheduler/values.yaml b/deploy/kubernetes/dolphinscheduler/values.yaml
@@ -221,17 +221,19 @@ security:
     type: PASSWORD
     # IF you set type `LDAP`, below config will be effective
     ldap:
-      # -- LDAP urls
-      urls: ldap://ldap.forumsys.com:389/
+      # -- LDAP url
+      url: ldap://ldap.forumsys.com:389/
       # -- LDAP base dn
       basedn: dc=example,dc=com
       # -- LDAP username
       username: cn=read-only-admin,dc=example,dc=com
       # -- LDAP password
       password: password
       user:
-        # -- Admin user account when you log-in with LDAP
-        admin: read-only-admin
+        # -- Any user matching this filter becomes an Admin. If set to `""`, ignore this option
+        adminuserfilter: (&(uid={0})(memberOf=cn=admin-group,ou=apps,dc=example,dc=com))
+        # -- Admin user account when you log-in with LDAP. If the filter doesn't match anything this also acts as fallback. Set to `""` to ignore this option if you want to use filter only
+        adminusername: read-only-admin
         # -- LDAP user identity attribute
         identityattribute: uid
         # -- LDAP user email attribute
