When resolve_nested_roles: true and a user belongs to a group with an invalid DN
containing escape sequences (e.g., \0A newline), the nested resolution throws
INVALID_DN_SYNTAX followed by NullPointerException, causing the entire role
lookup to fail and return empty backend_roles.
Expected behavior: Skip malformed DNs and continue processing valid groups.
Affected version: OpenSearch 3.x
Error:
- INVALID_DN_SYNTAX: CN=SCA-LDAP\0ACNF:...
- NullPointerException: Cannot invoke "org.ldaptive.LdapEntry.getAttribute(String)" because "e0" is null
Stack trace:
at org.opensearch.security.auth.ldap.backend.LDAPAuthorizationBackend.resolveNestedRoles
at org.opensearch.security.auth.ldap.backend.LDAPAuthorizationBackend.addRoles
When
resolve_nested_roles: trueand a user belongs to a group with an invalid DNcontaining escape sequences (e.g.,
\0Anewline), the nested resolution throwsINVALID_DN_SYNTAXfollowed byNullPointerException, causing the entire rolelookup to fail and return empty
backend_roles.Expected behavior: Skip malformed DNs and continue processing valid groups.
Affected version: OpenSearch 3.x
Error:
Stack trace:
at org.opensearch.security.auth.ldap.backend.LDAPAuthorizationBackend.resolveNestedRoles
at org.opensearch.security.auth.ldap.backend.LDAPAuthorizationBackend.addRoles