+
Skip to content

LDAP / ModelException: At least one condition should be provided to OR query #40995

New issue
New issue
Closed
#40996
Closed
LDAP / ModelException: At least one condition should be provided to OR query#40995
#40996
Labels
area/corebackport/26.3kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.0team/core-iamteam/core-shared
@Nowheresly

Description

@Nowheresly
Nowheresly
opened on Jul 8, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

Hi,

we have a regression after upgrading to keycloak 26.3.0 (previous version was 26.2.5, same ldap conf and no issue).
We have a user federation with ldap configured.
After the authentication, when the user call CODE_TO_TOKEN, we get an error 500 with this stack:

2025-07-08 08:18:42,855 logLevel=ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-82) Uncaught server error: org.keycloak.models.ModelException: At least one condition should be provided to OR query
	at org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder.orCondition(LDAPQueryConditionsBuilder.java:58)
	at org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy$GetRolesFromUserMemberOfAttribute.getLDAPRoleMappings(UserRolesRetrieveStrategy.java:109)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings(GroupLDAPStorageMapper.java:634)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getLDAPGroupMappingsConverted(GroupLDAPStorageMapper.java:778)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:711)
	at org.keycloak.models.utils.UserModelDelegate.getGroupsStream(UserModelDelegate.java:234)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:717)
	at org.keycloak.models.cache.infinispan.entities.CachedUser.lambda$new$3(CachedUser.java:75)
	at org.keycloak.models.cache.infinispan.DefaultLazyLoader.lambda$get$0(DefaultLazyLoader.java:52)
	at org.keycloak.authorization.fgap.AdminPermissionsSchema.runWithoutAuthorization(AdminPermissionsSchema.java:497)
	at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:49)
	at org.keycloak.models.cache.infinispan.entities.CachedUser.getGroups(CachedUser.java:131)
	at org.keycloak.models.cache.infinispan.UserAdapter.getGroupsStream(UserAdapter.java:426)
	at org.keycloak.models.UserModel.getGroupsStream(UserModel.java:180)
	at org.keycloak.services.resources.admin.UserResource.groupMembership(UserResource.java:1115)
	at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$groupMembership_7205dccea6655b8c59b771d74abc3c0bd11f433f.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Version

26.3.0

Regression

  • The issue is a regression

Expected behavior

The CODE_TO_TOKEN endpoint should return a token as previously.

Actual behavior

After authentication, the CODE_TO_TOKEN call returns a 500 http code with the following exception:

2025-07-08 08:18:42,855 logLevel=ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-82) Uncaught server error: org.keycloak.models.ModelException: At least one condition should be provided to OR query
	at org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder.orCondition(LDAPQueryConditionsBuilder.java:58)
	at org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy$GetRolesFromUserMemberOfAttribute.getLDAPRoleMappings(UserRolesRetrieveStrategy.java:109)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings(GroupLDAPStorageMapper.java:634)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getLDAPGroupMappingsConverted(GroupLDAPStorageMapper.java:778)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:711)
	at org.keycloak.models.utils.UserModelDelegate.getGroupsStream(UserModelDelegate.java:234)
	at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:717)
	at org.keycloak.models.cache.infinispan.entities.CachedUser.lambda$new$3(CachedUser.java:75)
	at org.keycloak.models.cache.infinispan.DefaultLazyLoader.lambda$get$0(DefaultLazyLoader.java:52)
	at org.keycloak.authorization.fgap.AdminPermissionsSchema.runWithoutAuthorization(AdminPermissionsSchema.java:497)
	at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:49)
	at org.keycloak.models.cache.infinispan.entities.CachedUser.getGroups(CachedUser.java:131)
	at org.keycloak.models.cache.infinispan.UserAdapter.getGroupsStream(UserAdapter.java:426)
	at org.keycloak.models.UserModel.getGroupsStream(UserModel.java:180)
	at org.keycloak.services.resources.admin.UserResource.groupMembership(UserResource.java:1115)
	at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$groupMembership_7205dccea6655b8c59b771d74abc3c0bd11f433f.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

How to Reproduce?

Configure a ldap user federation with group mapping

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/corebackport/26.3kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.0team/core-iamteam/core-shared

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载