diff --git a/ydb/core/security/login_shared_func.cpp b/ydb/core/security/login_shared_func.cpp index 95ea9ee15914..e6e2ca259180 100644 --- a/ydb/core/security/login_shared_func.cpp +++ b/ydb/core/security/login_shared_func.cpp @@ -19,9 +19,9 @@ THolder CreateNavigateKeySetRequest(const TS TAuthCredentials PrepareCredentials(const TString& login, const TString& password, const NKikimrProto::TAuthConfig& config) { if (config.HasLdapAuthentication() && !config.GetLdapAuthenticationDomain().empty()) { - size_t n = login.find("@" + config.GetLdapAuthenticationDomain()); - if (n != TString::npos) { - return {.AuthType = TAuthCredentials::EAuthType::Ldap, .Login = login.substr(0, n), .Password = password}; + const TString domain = "@" + config.GetLdapAuthenticationDomain(); + if (login.EndsWith(domain)) { + return {.AuthType = TAuthCredentials::EAuthType::Ldap, .Login = login.substr(0, login.size() - domain.size()), .Password = password}; } } return {.AuthType = TAuthCredentials::EAuthType::Internal, .Login = login, .Password = password}; diff --git a/ydb/services/ydb/ydb_ldap_login_ut.cpp b/ydb/services/ydb/ydb_ldap_login_ut.cpp index 08003d0591d3..54f132431c7b 100644 --- a/ydb/services/ydb/ydb_ldap_login_ut.cpp +++ b/ydb/services/ydb/ydb_ldap_login_ut.cpp @@ -378,5 +378,18 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { loginConnection.Stop(); ldapServer.Stop(); } + + Y_UNIT_TEST(LdapAuthSetIncorrectDomain) { + TString login = "ldapuser"; + TString password = "ldapUserPassword"; + const TString incorrectLdapDomain = "@ldap.domain"; // Correct domain is AuthConfig.LdapAuthenticationDomain: "ldap" + + auto factory = CreateLoginCredentialsProviderFactory({.User = login + incorrectLdapDomain, .Password = password}); + TLoginClientConnection loginConnection(InitLdapSettings); + auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "Invalid user"); + + loginConnection.Stop(); + } } } //namespace NKikimr