Catch missing LDAP accounts in group membership

This catches missing LDAP accounts when looking up group membership.
This prevents throwing excessive LDAP stack traces to the log file,
since a user that doesn't exist won't be a member of anything.

Bug: Issue 1640
Change-Id: I75fd86fb9b8c5836125d261957893f34ffc48407

1 files changed, 14 insertions, 2 deletions

diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
index 7d0ad24325..63ef2e63f3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
@@ -198,7 +198,13 @@ import javax.security.auth.login.LoginException;
       final HashMap<String, String> params = new HashMap<String, String>();
 
       if (account == null) {
-        account = findAccount(schema, ctx, username);
+        try {
+          account = findAccount(schema, ctx, username);
+        } catch (AccountException e) {
+          LdapRealm.log.warn("Account " + username +
+              " not found, assuming empty group membership");
+          return Collections.emptySet();
+        }
       }
       for (String name : schema.groupMemberQueryList.get(0).getParameters()) {
         params.put(name, account.get(name));
@@ -215,7 +221,13 @@ import javax.security.auth.login.LoginException;
 
     if (schema.accountMemberField != null) {
       if (account == null) {
-        account = findAccount(schema, ctx, username);
+        try {
+          account = findAccount(schema, ctx, username);
+        } catch (AccountException e) {
+          LdapRealm.log.warn("Account " + username +
+              " not found, assuming empty group membership");
+          return Collections.emptySet();
+        }
       }
 
       final Attribute groupAtt = account.getAll(schema.accountMemberField);