The CTS reaper runs a periodic search to find tokens to clean up. The search uses a simple paged results control in the request.
When OpenDJ responds to this search, it does not necessarily include the corresponding control data in the response. For example, if the user has a size-limit of 1000 and requests a page size of 1000, OpenDJ drops the control on the response as it is not needed.
The reaper assumes that it will always get a paged control object in the response and does not have any error handling for this. This results in a NPE if the above scenario occurs:
The page size the reaper uses is not configurable:
This combined with the default OpenDJ size-limit of 1000 means that anyone who uses a non administrative user for their CTS connection is likely to encounter this problem.
Steps to reproduce:
1) Setup vanilla OpenAM 11 with SFO/CTS enabled on a vanilla external OpenDJ
2) Observe normal operation / token cleanup.
3) Change CTS bind user to a plain user with no special permissions except read/delete/search on the tokens suffix.
4) Observe the problem.
5) Change user's size-limit to 1001
6) Problem no longer occurs.
There are probably some other scenarios that lead to the same behaviour that don't revolve around the size-limit issue.