From c1d4a47baea91f2ecb88aa082f6a2be6c52e8030 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Thu, 3 Jul 2025 19:50:54 +0200
Subject: [PATCH 1/2] Handle search returning nil in searching for POSIX group
 members

According to the API documentation search may return a dataset or nil.
Calling nil.map will fail.

Link: https://rubydoc.info/gems/ruby-net-ldap/Net/LDAP#search-instance_method
---
 lib/ldap_fluff/posix_member_service.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ldap_fluff/posix_member_service.rb b/lib/ldap_fluff/posix_member_service.rb
index 72a099d..e5cebd5 100644
--- a/lib/ldap_fluff/posix_member_service.rb
+++ b/lib/ldap_fluff/posix_member_service.rb
@@ -21,7 +21,7 @@ def find_user_groups(uid)
     @ldap.search(
       :filter => user_group_filter(uid, user[:dn].first),
       :base => @group_base, :attributes => ["cn"]
-    ).map { |entry| entry[:cn][0] }
+    )&.map { |entry| entry[:cn][0] }
   end
 
   class UIDNotFoundException < LdapFluff::Error

From 5381855e677d04484885d6043d108726a26ae1ad Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Fri, 4 Jul 2025 12:28:05 +0200
Subject: [PATCH 2/2] Handle errors from ldap.search

---
 lib/ldap_fluff/ad_member_service.rb               |  4 +++-
 lib/ldap_fluff/freeipa_netgroup_member_service.rb |  5 ++++-
 lib/ldap_fluff/netiq_member_service.rb            |  9 +++++++--
 lib/ldap_fluff/posix_member_service.rb            | 10 ++++++++--
 lib/ldap_fluff/posix_netgroup_member_service.rb   |  5 ++++-
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/lib/ldap_fluff/ad_member_service.rb b/lib/ldap_fluff/ad_member_service.rb
index 3a12f70..8af1be5 100644
--- a/lib/ldap_fluff/ad_member_service.rb
+++ b/lib/ldap_fluff/ad_member_service.rb
@@ -15,7 +15,9 @@ def find_user_groups(uid)
     if _get_domain_func_level >= 6
       user_dn = user_data[:distinguishedname].first
       search = @ldap.search(:base => user_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['msds-memberOfTransitive'])
-      if !search.nil? && !search.first.nil?
+      if search.nil?
+        raise Net::LDAP::Error, @ldap.get_operation_result[:error_message].to_s
+      elsif !search.first.nil?
         return get_groups(search.first['msds-memberoftransitive'])
       end
     end
diff --git a/lib/ldap_fluff/freeipa_netgroup_member_service.rb b/lib/ldap_fluff/freeipa_netgroup_member_service.rb
index 134fcbf..5d29e2a 100644
--- a/lib/ldap_fluff/freeipa_netgroup_member_service.rb
+++ b/lib/ldap_fluff/freeipa_netgroup_member_service.rb
@@ -3,10 +3,13 @@
 class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberService
   def find_user_groups(uid)
     groups = []
-    @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
+    success = @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base, :return_result => false) do |entry|
       members = get_netgroup_users(entry[:nisnetgrouptriple])
       groups << entry[:cn][0] if members.include? uid
     end
+    unless success
+      raise Net::LDAP::Error, @ldap.get_operation_result[:error_message].to_s
+    end
     groups
   end
 end
diff --git a/lib/ldap_fluff/netiq_member_service.rb b/lib/ldap_fluff/netiq_member_service.rb
index 7708ccb..c7fa52f 100644
--- a/lib/ldap_fluff/netiq_member_service.rb
+++ b/lib/ldap_fluff/netiq_member_service.rb
@@ -34,10 +34,15 @@ def find_user_groups(uid)
       # do nothing
     end
 
-    @ldap.search(
+    results = @ldap.search(
       :filter => filter,
       :base => @group_base,
       :attributes => ['cn']
-    ).map { |entry| entry[:cn][0] }
+    )
+    if results
+      results.map { |entry| entry[:cn][0] }
+    else
+      raise Net::LDAP::Error, @ldap.get_operation_result[:error_message].to_s
+    end
   end
 end
diff --git a/lib/ldap_fluff/posix_member_service.rb b/lib/ldap_fluff/posix_member_service.rb
index e5cebd5..a9a2409 100644
--- a/lib/ldap_fluff/posix_member_service.rb
+++ b/lib/ldap_fluff/posix_member_service.rb
@@ -18,10 +18,16 @@ def find_user(uid, base_dn = @base)
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
     user = find_user(uid).first
-    @ldap.search(
+    results = @ldap.search(
       :filter => user_group_filter(uid, user[:dn].first),
       :base => @group_base, :attributes => ["cn"]
-    )&.map { |entry| entry[:cn][0] }
+    )
+
+    if results
+      results.map { |entry| entry[:cn][0] }
+    else
+      raise Net::LDAP::Error, @ldap.get_operation_result[:error_message].to_s
+    end
   end
 
   class UIDNotFoundException < LdapFluff::Error
diff --git a/lib/ldap_fluff/posix_netgroup_member_service.rb b/lib/ldap_fluff/posix_netgroup_member_service.rb
index 17e3515..4ced119 100644
--- a/lib/ldap_fluff/posix_netgroup_member_service.rb
+++ b/lib/ldap_fluff/posix_netgroup_member_service.rb
@@ -5,10 +5,13 @@ class LdapFluff::Posix::NetgroupMemberService < LdapFluff::Posix::MemberService
   # return list of group CNs for a user
   def find_user_groups(uid)
     groups = []
-    @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
+    success = @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base, :return_result => false) do |entry|
       members = get_netgroup_users(entry[:nisnetgrouptriple])
       groups << entry[:cn][0] if members.include? uid
     end
+    unless success
+      raise Net::LDAP::Error, @ldap.get_operation_result[:error_message].to_s
+    end
     groups
   end
 end