ldap-group-mapper fails when empty member: attribute is present

[FAUSheppy]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

This error occurs:

2024-01-03 21:00:15,793 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-2) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.storage.ldap.idm.model.LDAPDn$RDN.getAttrValue(String)" because the return value of "org.keycloak.storage.ldap.idm.model.LDAPDn.getFirstRdn()" is null
	at org.keycloak.storage.ldap.mappers.membership.MembershipType$1.getLDAPMembersWithParent(MembershipType.java:66)
	at org.keycloak.storage.ldap.mappers.membership.MembershipType$1.getLDAPSubgroups(MembershipType.java:53)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPSubgroups(GroupLDAPStorageMapper.java:152)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.convertGroupsToInternalRep(GroupLDAPStorageMapper.java:241)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncDataFromFederationProviderToKeycloak(GroupLDAPStorageMapper.java:177)
	at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:255)
	at org.keycloak.services.resources.admin.UserStorageProviderResource$quarkusrestinvoker$syncMapperData_7d7259fd8f486e4638b0a2f1d3b37905909372a0.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840

when a empty member: attribute exists in the LDAP-group like this:

dn: cn=test,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: test
member: 
member: uid=dev,ou=People,dc=example,dc=com

such a member may be automatically created by various tools for empty groups. It should not cause the whole import for ALL groups to fail (or the entire sync).

Version

23.0.3

Expected behavior

a) Nothing happens, an empty member is ignored (my opinion)
b) At least just skip the group and import the rest

Actual behavior

Whole sync/group import crashes with "unknown_error" in web-interface and the above error in the log.

How to Reproduce?

Create an empty group with via ldapmodify or something and see how this create an empty member: entry which is not removed once a member is added and cause the LDAP provide to crash during sync with the above error.

Anything else?

This Bug started to occur somewhere between 20.0.3 and 22.0.2. It definitely worked on 20.0.3.

[lukas-staab]

I can confirm this behaviour in 23.0.3 and it might be an issue to me as well, right now all my openLDAP Groups have an empty member to ensure every (real) member can be removed without errors.

Edit: Only the Mapping modes READ_ONLY and LDAP_ONLY are faulty with empty members. IMPORT does not throw errors. I have configured the LDAP provider as read only.

[sguilhen]

I confirm the bug - it was introduced by 7336ff0

I'm sending a PR with a fix - essentially changing the check order in MembershipType so that isDescendantOf is called first as that method returns false when an empty member is processed.