Merge pull request #1450 from hivemq/bug/EDG-191/ldap-auth-improvements-configuration-via-helm-charts-empty-queries

mschoenert-hivemq · web-flow · commit 31ccf56c8792 · 2026-03-16T09:10:13.000+01:00
EDG-191 LDAP Auth Improvements configuration via Helm Charts - allow empty user role queries
diff --git a/docker/config-k8s.xml b/docker/config-k8s.xml
@@ -124,24 +124,18 @@
 
             ${IF:HIVEMQ_LDAP_USER_ROLES_ENABLED}
             <user-roles>
-                ${IF:HIVEMQ_LDAP_USER_ROLE_ADMIN_QUERY}
                 <user-role>
                     <role>ADMIN</role>
                     <query>${ENV:HIVEMQ_LDAP_USER_ROLE_ADMIN_QUERY}</query>
                 </user-role>
-                ${IF:HIVEMQ_LDAP_USER_ROLE_ADMIN_QUERY}
-                ${IF:HIVEMQ_LDAP_USER_ROLE_SUPER_QUERY}
                 <user-role>
                     <role>SUPER</role>
                     <query>${ENV:HIVEMQ_LDAP_USER_ROLE_SUPER_QUERY}</query>
                 </user-role>
-                ${IF:HIVEMQ_LDAP_USER_ROLE_SUPER_QUERY}
-                ${IF:HIVEMQ_LDAP_USER_ROLE_USER_QUERY}
                 <user-role>
                     <role>USER</role>
                     <query>${ENV:HIVEMQ_LDAP_USER_ROLE_USER_QUERY}</query>
                 </user-role>
-                ${IF:HIVEMQ_LDAP_USER_ROLE_USER_QUERY}
             </user-roles>
             ${IF:HIVEMQ_LDAP_USER_ROLES_ENABLED}
 
diff --git a/hivemq-edge/src/main/java/com/hivemq/api/auth/provider/impl/ldap/LdapClient.java b/hivemq-edge/src/main/java/com/hivemq/api/auth/provider/impl/ldap/LdapClient.java
@@ -295,6 +295,9 @@ public boolean authenticateUser(final @NotNull String username, final byte @NotN
         for (final var userRole : userRoles) {
             final String role = userRole.getRole();
             final String queryTemplate = userRole.getQuery();
+            if (queryTemplate.isBlank()) {
+                continue;
+            }
             try {
                 // Substitute {userDn} placeholder in query
                 final String query = queryTemplate.replace("{userDn}", userDn);
diff --git a/hivemq-edge/src/main/java/com/hivemq/util/render/IfUtil.java b/hivemq-edge/src/main/java/com/hivemq/util/render/IfUtil.java
@@ -49,10 +49,7 @@ public class IfUtil {
             "HIVEMQ_USERS_ENABLED",
             "HIVEMQ_LDAP_OBJECT_CLASS_ENABLED",
             "HIVEMQ_PRE_LOGIN_NOTICE_ENABLED",
-            "HIVEMQ_LDAP_USER_ROLES_ENABLED",
-            "HIVEMQ_LDAP_USER_ROLE_ADMIN_QUERY",
-            "HIVEMQ_LDAP_USER_ROLE_SUPER_QUERY",
-            "HIVEMQ_LDAP_USER_ROLE_USER_QUERY");
+            "HIVEMQ_LDAP_USER_ROLES_ENABLED");
 
     /**
      * Get a Java system property or system environment variable with the specified name.
diff --git a/hivemq-edge/src/main/resources/config.xsd b/hivemq-edge/src/main/resources/config.xsd
@@ -1189,7 +1189,7 @@
                                                         <xs:documentation>The role name to assign.</xs:documentation>
                                                     </xs:annotation>
                                                 </xs:element>
-                                                <xs:element name="query" type="nonEmptyString">
+                                                <xs:element name="query" type="xs:string">
                                                     <xs:annotation>
                                                         <xs:documentation>The LDAP query for this role.</xs:documentation>
                                                     </xs:annotation>
