ldap: modify variable name and initialize connection with root_dn and…

… root_pwd (#43824) (#43914)

close #43822

privilege/privileges/ldap/ldap_common.go

@@ -34,10 +34,10 @@ import (
 type ldapAuthImpl struct {
 	sync.RWMutex
 	// the following attributes are used to search the users
-	bindBaseDN string
-	bindRootDN string
-	bindRootPW string
-	searchAttr string
+	bindBaseDN  string
+	bindRootDN  string
+	bindRootPWD string
+	searchAttr  string
 
 	// the following attributes are used to connect to LDAP server
 	ldapServerHost string
@@ -61,16 +61,10 @@ func (impl *ldapAuthImpl) searchUser(userName string) (dn string, err error) {
 	}
 	defer impl.putConnection(l)
 
-	err = l.Bind(impl.bindRootDN, impl.bindRootPW)
+	err = l.Bind(impl.bindRootDN, impl.bindRootPWD)
 	if err != nil {
 		return "", errors.Wrap(err, "bind root dn to search user")
 	}
-	defer func() {
-		// bind to anonymous user
-		_, err = l.SimpleBind(&ldap.SimpleBindRequest{
-			AllowEmptyPassword: true,
-		})
-	}()
 
 	result, err := l.Search(&ldap.SearchRequest{
 		BaseDN: impl.bindBaseDN,
@@ -158,14 +152,15 @@ func (impl *ldapAuthImpl) getConnection() (*ldap.Conn, error) {
 			return nil, err
 		}
 
-		// try to bind anonymous user. It has two meanings:
+		// try to bind root user. It has two meanings:
 		// 1. Clear the state of previous binding, to avoid security leaks. (Though it's not serious, because even the current
-		//   connection has binded to other users, the following authentication will still fail. But the ACL for anonymous
-		//   user and a valid user could be different, so it's better to bind back to anonymous user here.
+		//   connection has binded to other users, the following authentication will still fail. But the ACL for root
+		//   user and a valid user could be different, so it's better to bind back to root user here.
 		// 2. Detect whether this connection is still valid to use, in case the server has closed this connection.
 		ldapConnection := conn.(*ldap.Conn)
 		_, err = ldapConnection.SimpleBind(&ldap.SimpleBindRequest{
-			AllowEmptyPassword: true,
+			Username: impl.bindRootDN,
+			Password: impl.bindRootPWD,
 		})
 		if err != nil {
 			// fail to bind to anonymous user, just release this connection and try to get a new one
@@ -219,7 +214,7 @@ func (impl *ldapAuthImpl) SetBindRootPW(bindRootPW string) {
 	impl.Lock()
 	defer impl.Unlock()
 
-	impl.bindRootPW = bindRootPW
+	impl.bindRootPWD = bindRootPW
 }
 
 // SetSearchAttr updates the search attributes.
@@ -318,7 +313,7 @@ func (impl *ldapAuthImpl) GetBindRootPW() string {
 	impl.RLock()
 	defer impl.RUnlock()
 
-	return impl.bindRootPW
+	return impl.bindRootPWD
 }
 
 // GetSearchAttr returns the search attributes.

sessionctx/variable/sysvar.go

@@ -2572,7 +2572,7 @@ var defaultSysVars = []*SysVar{
 	}, GetGlobal: func(ctx context.Context, vars *SessionVars) (string, error) {
 		return ldap.LDAPSASLAuthImpl.GetBindRootDN(), nil
 	}},
-	{Scope: ScopeGlobal, Name: AuthenticationLDAPSASLBindRootPW, Value: "", Type: TypeStr, SetGlobal: func(ctx context.Context, vars *SessionVars, s string) error {
+	{Scope: ScopeGlobal, Name: AuthenticationLDAPSASLBindRootPWD, Value: "", Type: TypeStr, SetGlobal: func(ctx context.Context, vars *SessionVars, s string) error {
 		ldap.LDAPSASLAuthImpl.SetBindRootPW(s)
 		return nil
 	}, GetGlobal: func(ctx context.Context, vars *SessionVars) (string, error) {
@@ -2654,7 +2654,7 @@ var defaultSysVars = []*SysVar{
 	}, GetGlobal: func(ctx context.Context, vars *SessionVars) (string, error) {
 		return ldap.LDAPSimpleAuthImpl.GetBindRootDN(), nil
 	}},
-	{Scope: ScopeGlobal, Name: AuthenticationLDAPSimpleBindRootPW, Value: "", Type: TypeStr, SetGlobal: func(ctx context.Context, vars *SessionVars, s string) error {
+	{Scope: ScopeGlobal, Name: AuthenticationLDAPSimpleBindRootPWD, Value: "", Type: TypeStr, SetGlobal: func(ctx context.Context, vars *SessionVars, s string) error {
 		ldap.LDAPSimpleAuthImpl.SetBindRootPW(s)
 		return nil
 	}, GetGlobal: func(ctx context.Context, vars *SessionVars) (string, error) {

sessionctx/variable/tidb_vars.go

@@ -1007,8 +1007,8 @@ const (
 	AuthenticationLDAPSASLBindBaseDN = "authentication_ldap_sasl_bind_base_dn"
 	// AuthenticationLDAPSASLBindRootDN defines the `dn` of the user to login the LDAP server and perform search.
 	AuthenticationLDAPSASLBindRootDN = "authentication_ldap_sasl_bind_root_dn"
-	// AuthenticationLDAPSASLBindRootPW defines the password of the user to login the LDAP server and perform search.
-	AuthenticationLDAPSASLBindRootPW = "authentication_ldap_sasl_bind_root_pw"
+	// AuthenticationLDAPSASLBindRootPWD defines the password of the user to login the LDAP server and perform search.
+	AuthenticationLDAPSASLBindRootPWD = "authentication_ldap_sasl_bind_root_pwd"
 	// AuthenticationLDAPSASLInitPoolSize defines the init size of connection pool to LDAP server for SASL plugin.
 	AuthenticationLDAPSASLInitPoolSize = "authentication_ldap_sasl_init_pool_size"
 	// AuthenticationLDAPSASLMaxPoolSize defines the max size of connection pool to LDAP server for SASL plugin.
@@ -1031,8 +1031,8 @@ const (
 	AuthenticationLDAPSimpleBindBaseDN = "authentication_ldap_simple_bind_base_dn"
 	// AuthenticationLDAPSimpleBindRootDN defines the `dn` of the user to login the LDAP server and perform search.
 	AuthenticationLDAPSimpleBindRootDN = "authentication_ldap_simple_bind_root_dn"
-	// AuthenticationLDAPSimpleBindRootPW defines the password of the user to login the LDAP server and perform search.
-	AuthenticationLDAPSimpleBindRootPW = "authentication_ldap_simple_bind_root_pw"
+	// AuthenticationLDAPSimpleBindRootPWD defines the password of the user to login the LDAP server and perform search.
+	AuthenticationLDAPSimpleBindRootPWD = "authentication_ldap_simple_bind_root_pwd"
 	// AuthenticationLDAPSimpleInitPoolSize defines the init size of connection pool to LDAP server for SASL plugin.
 	AuthenticationLDAPSimpleInitPoolSize = "authentication_ldap_simple_init_pool_size"
 	// AuthenticationLDAPSimpleMaxPoolSize defines the max size of connection pool to LDAP server for SASL plugin.