Avoid logging `invalidLdapEntityReturned` error when entity has insufficient authorizations

[yanavasileva]

Environment (Required on creation)

Camunda 7.20+ & LDAP plugin

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket)

LDAP error are logged on loading WebApps welcome page with misleading text LDAP group query returned a group with id null as the group is returned correctly but doesn't have Camunda authorizations instead.

Steps to reproduce (Required on creation)

• Connect Camunda to LDAP via camunda-identity-ldap
• Login and open welcome page with a user with the following properties:
  • User is member of a LDAP group contained in the Camunda LDAP group search base
  • User does not have an authorization entry for the resource Group in Camunda

Observed Behavior (Required on creation)

The following error is logged for each of the user’s groups:

org.camunda.bpm.identity.impl.ldap LDAP-00004 LDAP group query returned a group with id null. This group will be ignored. This indicates a misconfiguration of the LDAP plugin or a problem with the LDAP service. Enable DEBUG/FINE logging for details.

Expected behavior (Required on creation)

No error is logged

Root Cause (Required on prioritization)

invalidLdapEntityReturned error (link) is thrown when a group is not authorized (link and link) even though the LDAP group query returns correct the groups. The same misleading error can be thrown for a user entity too.

Solution Ideas

1. Thrown a different error when entity (user/group) is not authorized.
2. Avoid throwing any error when entity is not authorized (behaviour prior 7.20).

Hints

Links

• caused by https://github.com/camunda/camunda-bpm-platform/issues/3546
• https://jira.camunda.com/browse/SUPPORT-21510

Breakdown

### Pull Requests

Dev2QA handover

• [ ] Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment