ldap.search.group.principle Issue

[scottsignal]

problem

ldap.search.group.principle by default is NULL in the database. If you enter a value and then make it blank, it just results in a blank field in the database. LDAP just ends up searching a blank value.

In the logs you will see this entry:
2025-08-20 10:39:56,759 DEBUG o.a.c.l.OpenLdapUserManagerImpl (qtp364604394-3267:ctx-e080a1e5) (logid:9d1297c5) adding search filter for '', using 'memberof'

versions

4.20.1

The steps to reproduce the bug

1. Put a value in ldap.search.group.principle
2. Remove the value in ldap.search.group.principle Note: Do not click reset to default
3. Attempt LDAP login and review the logs
   ...

What to do about it?

LDAP should treat a blank value the same as a NULL Value.

[DaanHoogland]

@scottsignal , I think you can reset to default instead of entering an empty string. In any case it should not work without search group principle. A better error message is in order, but empty or null doesn’t matter.

[scottsignal]

@DaanHoogland This is 100% a valid work around and this is what we ended up doing. I think the problem for me is that there is no way to indicate if a value is the default. Maybe this in itself would be an enhancement for down the road. IE only show the reset button if the value not the default?

[weizhouapache]

@scottsignal
can you test #11643 if possible ?

[scottsignal]

@scottsignal can you test #11643 if possible ?

I tried to test this on the 4.22 latest snapshot running in docker, but I am struggling to configure LDAP on it. I think this is possibly a limitation/bug in the simulator, but it won't encrypt the bind/truststore passwords.