LDAP: consider blank values as null

[weizhouapache]

Description

This PR fixes #11570

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.17%. Comparing base (7c7497c) to head (f305421).
⚠️ Report is 34 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...pache/cloudstack/ldap/OpenLdapUserManagerImpl.java	0.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #11636      +/-   ##
============================================
- Coverage     16.17%   16.17%   -0.01%     
  Complexity    13297    13297              
============================================
  Files          5656     5656              
  Lines        498151   498151              
  Branches      60441    60441              
============================================
- Hits          80588    80586       -2     
- Misses       408591   408593       +2     
  Partials       8972     8972              

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	17.03% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[sureshanaparti]

clgtm

[Copilot]

Pull Request Overview

This PR fixes an issue with LDAP authentication by replacing null checks with blank value checks to better handle empty or whitespace-only strings in LDAP configuration values.

• Replaces null checks with StringUtils.isNotBlank() for string validations
• Replaces manual collection size check with CollectionUtils.isNotEmpty()
• Improves handling of blank/empty LDAP configuration values

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[DaanHoogland]

clgtm

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15008

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[weizhouapache]

moving to 4.20.3 milestone

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 15015

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15086

[shwstppr]

code lgtm

[DaanHoogland]

@blueorangutan test keepEnv

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-14451)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 54140 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11636-t14451-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

It works for the global setting @weizhouapache , but not for the domain level setting, @weizhouapache . You think we should do that as well?

[weizhouapache]

It works for the global setting @weizhouapache , but not for the domain level setting, @weizhouapache . You think we should do that as well?

@DaanHoogland
I guess you mean we change the way of getting values ?

domain or zone value (if domain value is null)
===>
domain or zone value (if domain value is null or blank)

[DaanHoogland]

It works for the global setting @weizhouapache , but not for the domain level setting, @weizhouapache . You think we should do that as well?

@DaanHoogland I guess you mean we change the way of getting values ?

domain or zone value (if domain value is null)
===>
domain or zone value (if domain value is null or blank)

No I mean if I empty a domain value it still gets “” instead of null. (as a global value does) i.e. your change only applies on the global level.

[weizhouapache]

It works for the global setting @weizhouapache , but not for the domain level setting, @weizhouapache . You think we should do that as well?

@DaanHoogland I guess you mean we change the way of getting values ?

domain or zone value (if domain value is null)
===>
domain or zone value (if domain value is null or blank)

No I mean if I empty a domain value it still gets “” instead of null. (as a global value does) i.e. your change only applies on the global level.

oh, I did not notice where the values come from.
I think LdapConfiguration.java considers the domain level configurations, does it ?

[DaanHoogland]

It works for the global setting @weizhouapache , but not for the domain level setting, @weizhouapache . You think we should do that as well?

@DaanHoogland I guess you mean we change the way of getting values ?

domain or zone value (if domain value is null)
===>
domain or zone value (if domain value is null or blank)

No I mean if I empty a domain value it still gets “” instead of null. (as a global value does) i.e. your change only applies on the global level.

oh, I did not notice where the values come from.
I think LdapConfiguration.java considers the domain level configurations, does it ?

Yes initially if a domain is given, but with considering override of course. If no domain is passed global is considered.

[weizhouapache]

oh, I did not notice where the values come from.
I think LdapConfiguration.java considers the domain level configurations, does it ?

Yes initially if a domain is given, but with considering override of course. If no domain is passed global is considered.

I am trying to understand what the problem is.

If domain setting is blank or empty, it will be used, but this PR considers it as null.
Is it what you expected ?
or, should the global setting be considered ?

[DaanHoogland]

oh, I did not notice where the values come from.
I think LdapConfiguration.java considers the domain level configurations, does it ?

Yes initially if a domain is given, but with considering override of course. If no domain is passed global is considered.

I am trying to understand what the problem is.

If domain setting is blank or empty, it will be used, but this PR considers it as null. Is it what you expected ? or, should the global setting be considered ?

I just re-tested it;

• on domain level set a value for ldap.search.group.principle
• check in the DB domain-settings table that it is set
• set the setting for this domain to “”
• in the DB it will be an empty string
• reset the domain level setting
• in the DB the record is gone

So my question is, is this the behaivure we want

• in domain an empty string is just an empty string
• globally an empty string leads to a NULL in the DB
  cc @scottsignal

I think an empty string should be an empty string. We could put a validation of sorts in place but introducing this inconsistency is not desirable imnsho.

[weizhouapache]

I just re-tested it;

• on domain level set a value for ldap.search.group.principle
• check in the DB domain-settings table that it is set
• set the setting for this domain to “”
• in the DB it will be an empty string
• reset the domain level setting
• in the DB the record is gone

So my question is, is this the behaivure we want

• in domain an empty string is just an empty string
• globally an empty string leads to a NULL in the DB
  cc @scottsignal

I think an empty string should be an empty string. We could put a validation of sorts in place but introducing this inconsistency is not desirable imnsho.

I agree it would be better to deal with the global settings with default "NULL"
closing this PR

[scottsignal]

@DaanHoogland @weizhouapache I'm sorry for my late response on this.

I am fine with leaving it the way it is. I think this PR #11728 would address this anyways.