From f64fbc7fbd9e67a2c0b77c87d426ac26428d14b0 Mon Sep 17 00:00:00 2001 From: Joao Amaral <7281460+joaopamaral@users.noreply.github.com> Date: Thu, 14 May 2026 14:42:09 -0300 Subject: [PATCH] fix(ldap): load full user fields on login so teams are not wiped `LdapAuthenticator.checkAndCreateUser` fetched the existing OpenMetadata user with only `"id,name,email,roles"`. The subsequent PUT through `UserUtil.addOrUpdateUser -> userRepository.createOrUpdate` then ran `UserUpdater.entitySpecificUpdate`, which unconditionally invokes `updateTeams`, `updatePersonas`, etc. Because the in-memory user had `teams = null`, `updateTeams` executed `deleteTo(user, HAS, TEAM) + assignTeams(null)`, which wiped every manually-assigned team on every LDAP login. The same path wiped `personas`, `defaultPersona`, `profile`, `domains`, `personaPreferences`, `authenticationMechanism`, and `isEmailVerified`. The `deleteTo` against a user with many teams also made login visibly slow. Switch the fetch to `userRepository.getFieldsWithUserAuth("*")`, matching the `BasicAuthenticator` path, so the PUT sees the user's full state and the updater preserves it. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../service/security/auth/LdapAuthenticator.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java index edad29c4f26d..32ff88bcabaa 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java @@ -162,8 +162,16 @@ private User checkAndCreateUser(String userDn, String email, String userName) th // Check if the user exists in OM Database try { - User omUser = - userRepository.getByEmail(null, email, userRepository.getFields("id,name,email,roles")); + // Load the same field set the PUT path uses (USER_UPDATE_FIELDS): roles, teams, + // profile, authenticationMechanism, isEmailVerified, personas, defaultPersona, + // domains, personaPreferences. UserUpdater.entitySpecificUpdate runs updateTeams / + // updatePersonas / etc. unconditionally; with a sparse fetch those fields arrive + // null and the updater wipes the corresponding relationships, which destroys the + // user's manually-assigned teams on every LDAP login and makes login slow (deleteTo + // does work proportional to the user's existing team count). Use getPutFields() + // (narrow) rather than getFieldsWithUserAuth("*") (wide) so we don't eagerly load + // the heavy owns/follows relationship sets on every login. + User omUser = userRepository.getByEmail(null, email, userRepository.getPutFields()); getRoleForLdap(userDn, omUser, Boolean.TRUE); finalUser = omUser; } catch (EntityNotFoundException ex) {