handle NULL search result for group dn

[gouzhuang]

The LDAP server could return NULL for dn when there was no match, in this case the original code would act as if there was a match.

[davama]

I see that it's been sitting since 12/2017 but if it helps, i've tested this and works as intended

$ slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $
    mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

Thanks for providing this @gouzhuang

[Roemer]

Any news on that PR?

[landryb]

I've also tested it (against an openldap server, with nginx 1.16.0) and it solves #194 for me, which is quite awkward when you expect users to get denied while they're silently allowed access....

Looked at the logic of the code, and the fix makes sense to me. Maybe the check against NULL could be completely avoided, as it seems the outcome only relies on the return code (ie LDAP_SUCCESS or LDAP_NO_RESULTS_RETURNED) and doesnt even look at the returned values. But that would require much more interop testing....