Fix NPE in LDAP user lookup when memberOf attribute is absent (service accounts)#178
Merged
Conversation
- Make memberOf attribute access null-safe in resultToUserEntry - Log a warning when memberOf is absent (e.g. service accounts) - Expose resultToUserEntry as private[search] for testability - Add unit tests covering: groups present, no memberOf (service account), empty memberOf, and optional attributes with absent memberOf
Copilot
AI
changed the title
[WIP] Fix NPE in LDAP user lookup for missing memberOf attribute
Fix NPE in LDAP user lookup when memberOf attribute is absent (service accounts)
Jun 24, 2026
lsulak
approved these changes
Jun 24, 2026
lsulak
left a comment
Collaborator
There was a problem hiding this comment.
I checked the OneDS and the user indeed does have memberOf atteibute empty. The fix basically just wraps the processing of this attribute into Option and matches on it. Also added few unit tests, this should be ok, approving but feel free to check @TheLydonKing or @dk1844
dk1844
approved these changes
Jun 24, 2026
dk1844
left a comment
Collaborator
There was a problem hiding this comment.
LGTM (read the code, ran tests)
|
JaCoCo Coverage Report
Run 28100271342 · Event: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
LdapUserRepository.resultToUserEntrycrashes with aNullPointerExceptionfor LDAP principals that have nomemberOfattribute (e.g. service accounts), becauseattrs.get("memberOf")returnsnulland.getAll()is called unconditionally.Overview
Fix — make
memberOfaccess null-safe inresultToUserEntry:Option(attrs.get("memberOf"))defaults toSeq.empty[String]when the attribute is absentWARNlog whenmemberOfis missing so the gap is visible without noiseTestability —
resultToUserEntrychanged fromprivatetoprivate[search]to allow direct unit testing.Tests added in
LdapUserRepositoryTestusing ScalaMock covering:memberOfgroup DNs parsed correctlymemberOfattribute → empty groups, no exceptionmemberOfpresent but empty → empty groupsmemberOfis absentRelease Notes
NullPointerExceptionfor principals without amemberOfattribute (e.g. service accounts); missingmemberOfnow defaults to empty groupsRelated
Closes #177