Fix #40995 avoid ModelException: At least one condition should be provided to OR query

Closes #40995 Signed-off-by: Sylvere Richard <sylvere.richard@gmail.com>
2026-01-09 23:12:06 -03:30 · 2025-07-08 12:51:58 +02:00 · 2025-07-08 12:51:58 +02:00 · 173471a1c9
commit 173471a1c9
parent efd1ffd244
1 changed files with 8 additions and 8 deletions
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java
@ -106,14 +106,14 @@ public interface UserRolesRetrieveStrategy {

                // load only those groups/roles the user is memberOf
                // we do this by query to apply defined custom filters
-                ldapQuery.addWhereCondition(conditionBuilder.orCondition(
-                        memberOfValues.stream()
-                            .map(LDAPDn::fromString)
-                            .filter(roleDN -> roleDN.isDescendantOf(LDAPDn.fromString(roleOrGroupMapper.getConfig().getLDAPGroupsDn())))
-                            .map(roleDN -> conditionBuilder.equal(rdnAttr, roleDN.getFirstRdn().getAttrValue(rdnAttr)))
-                            .toArray(Condition[]::new)
-                        )
-                );
+                final Condition[] conditions = memberOfValues.stream()
+                        .map(LDAPDn::fromString)
+                        .filter(roleDN -> roleDN.isDescendantOf(LDAPDn.fromString(roleOrGroupMapper.getConfig().getLDAPGroupsDn())))
+                        .map(roleDN -> conditionBuilder.equal(rdnAttr, roleDN.getFirstRdn().getAttrValue(rdnAttr)))
+                        .toArray(Condition[]::new);
+                if (conditions.length > 0) {
+                    ldapQuery.addWhereCondition(conditionBuilder.orCondition(conditions));
+                }

                return LDAPUtils.loadAllLDAPObjects(ldapQuery, ldapConfig);
            }