From 36fb75bd2e003e83ad814c2b202b2c3b1b55d1b9 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Wed, 20 Dec 2023 19:43:17 +0000
Subject: [PATCH] fix: npe if ldap query doesn't return attributes

We cannot assume the LDAP server will have group attributes programmed
everytime. So handle it accordingly.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 pkg/api/ldap.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/pkg/api/ldap.go b/pkg/api/ldap.go
index 608e14b45e..4bc31f8d9c 100644
--- a/pkg/api/ldap.go
+++ b/pkg/api/ldap.go
@@ -174,7 +174,9 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
 
 	attributes := lc.Attributes
 	attributes = append(attributes, "dn")
-	attributes = append(attributes, lc.UserGroupAttribute)
+	if lc.UserGroupAttribute != "" {
+		attributes = append(attributes, lc.UserGroupAttribute)
+	}
 
 	searchScope := ldap.ScopeSingleLevel
 
@@ -207,7 +209,7 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
 		return false, nil, nil, err
 	}
 
-	if len(search.Entries) > 1 {
+	if lc.UserGroupAttribute != "" && len(search.Entries) > 1 {
 		err := errors.ErrEntriesExceeded
 		lc.Log.Error().Err(err).Str("bindDN", lc.BindDN).Str("username", username).
 			Str("baseDN", lc.Base).Msg("failed to retrieve due to an excessive amount of entries")
@@ -216,8 +218,11 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
 	}
 
 	userDN := search.Entries[0].DN
-	userAttributes := search.Entries[0].Attributes[0]
-	userGroups := userAttributes.Values
+	var userGroups []string
+	if len(search.Entries[0].Attributes) > 0 {
+		userAttributes := search.Entries[0].Attributes[0]
+		userGroups = userAttributes.Values
+	}
 	user := map[string]string{}
 
 	for _, attr := range lc.Attributes {