Hi all,
 
I don't think it's a bug. It's LDAP mechanism. You may create a member when you initialize your LDAP data, like this circled in red:
 
 
Thanks,
Diego
Software Engineer | IT Architecture | diegol@synnex.com | 782370
From: security-dev-bounces@lists.jboss.org [mailto:security-dev-bounces@lists.jboss.org] On Behalf Of Ehsan Zaery Moghaddam
Sent: Tuesday, September 15, 2015 3:55 PM
To: security-dev@lists.jboss.org
Subject: [security-dev] Adding a new child group to a parent group that has no children before

Hi guys

I'm trying to use the picketlink on top of LDAP server using the following configuration:

public void observeIdentityConfigurationEvent(@Observes IdentityConfigurationEvent event){
​    ​
IdentityConfigurationBuilder builder = event.getConfig();
​    ​
builder.named("default")
​    ​
.stores()
​    ​    ​
.ldap()
​​    ​    ​    ​
.baseDN("dc=moghaddam,dc=com")
​​    ​    ​    ​
.bindDN("cn=Directory Manager")
​​    ​    ​    ​
.bindCredential("111")
​​    ​    ​    ​
.url("ldap://localhost:389")
​​    ​    ​    ​
.supportCredentials(true)
​​    ​    ​    ​
.mapping(User.class)
​​    ​    ​    ​    ​
.baseDN("ou=Users,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("inetOrgPerson")
​​    ​    ​    ​    ​
.attribute("firstName", "givenName")
​​    ​    ​    ​    ​
.attribute("lastName", "sn")
​​    ​    ​    ​    ​
.attribute("email", "mail")
​​    ​    ​    ​    ​
.attribute("loginName", "cn", true)
​​    ​    ​    ​    ​
.attribute("employeeNumber", "employeeNumber")
​    
​    
​    
.mapping(Group.class)
​​    ​    ​    ​    ​
.hierarchySearchDepth(4)
​​    ​    ​    ​    ​
.baseDN("ou=Groups,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("gamGroup")
​​    ​    ​    ​    ​
.attribute("name", "name", true)
​​    ​    ​    ​    ​
.parentMembershipAttributeName("member")
​​    ​    ​    ​
.mapping(GroupMembership.class)
​​    ​    ​    ​    ​
.forMapping(Group.class)
​​    ​    ​    ​    ​
.attribute("member", "member")
​​    ​
.build();
}

What I want to do is to create a new Group as a child of a parent Group object:

Group
​parentGroup
 = BasicModel.getGroup(identityManager, "/Group 1");

Group group = new Group(
​"Child Group"
,
parentGroup);

identityManager.add(group);

​If the "/Group 1" has at least one "member​" in LDAP, everything works fine. But if it has no members at all, when PicketLink's LDAPIdentityStore.addToParentAsMember tries to load it from LDAP server, there would be no Attribute object named "member" in its attributes list. So when it tries to call the add method of the retrieved attribute, a NullPointerException would be thrown.

I'm not sure this is intentional (that means a group should always have at least a member) or is just a bug. So decided to ask it here first and didn't created an issue in JIRA yet. If it's a bug, there should be a checking against null before adding the new child and if the member attribute is null, we have to first add "member" attribute to the parent object and then try to add the new child to it.

Regards
Ehsan