Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
If a batch size of zero or negative value is set in a LDAP provider with pagination enabled, Keycloak fails with a NPE when fetching the groups of a user:
2025-04-10 09:31:34,300 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-125) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.storage.ldap.idm.query.internal.LDAPQuery$PaginationContext.hasNextPage()" because the return value of "org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getPaginationContext()" is null
at org.keycloak.storage.ldap.LDAPUtils.loadAllLDAPObjects(LDAPUtils.java:315)
at org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy$LoadRolesByMember.getLDAPRoleMappings(UserRolesRetrieveStrategy.java:72)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings(GroupLDAPStorageMapper.java:634)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getLDAPGroupMappingsConverted(GroupLDAPStorageMapper.java:778)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:711)
at org.keycloak.models.utils.UserModelDelegate.getGroupsStream(UserModelDelegate.java:234)
at org.keycloak.models.cache.infinispan.entities.CachedUser.lambda$new$3(CachedUser.java:74)
at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43)
at org.keycloak.models.cache.infinispan.entities.CachedUser.getGroups(CachedUser.java:130)
at org.keycloak.models.cache.infinispan.UserAdapter.getGroupsStream(UserAdapter.java:426)
at org.keycloak.models.UserModel.getGroupsStream(UserModel.java:178)
at org.keycloak.services.resources.admin.UserResource.groupMembership(UserResource.java:993)
at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$groupMembership_6d5ea59662c8fdf6f22ce3e4c00abcb12d38bfd9.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
This happens because LDAPUtils.loadAllLDAPObjects attempts to fetch the next page from a pagination context that was not initialized because the call goes through LDAPOperationsManager.search as opposed to LDAPOperationsManager.searchPaginated, and the context is only initialized on searchPaginated.
Version
26.2.0
Regression
- The issue is a regression
Expected behavior
Setting a batch size value of zero or negative should result in a regular search being performed as these values basically negates pagination. The server should be able to fetch the user's groups.
Actual behavior
Request fails due to NPE
How to Reproduce?
- Setup a LDAP provider with pagination enabled, then set the batch size to 0.
- Go to the users screen and select an user from LDAP
- Go to the Groups tab -> ERROR and NPE shown in logs
Anything else?
No response