When there's an LDAP error in the middle of an LDAP connection, such as intermittent network errors, django-auth-ldap will return a partial list of LDAP groups.

This is because NestedMemberDNGroupType calls LDAPSearch.execute() in a loop. The latter method ignores all errors without propagating them, and just substituting any failure with an empty result set.

class LDAPSearch:
    # ...
    def execute(self, connection, filterargs=(), escape=True):
        # ...
        try:
            # ...
            results = connection.search_s(
                self.base_dn, self.scope, filterstr, self.attrlist
            )
        except ldap.LDAPError as e:
            results = []                           # <---
            logger.error(...)

        return self._process_results(results)

Returning partial results is a much worse behavior than propagating the error. It won't be clear to other code nor the user that an issue occurred, and they will have really inconsistent experience in the application, with some actions arbitrarily forbidden.

It also prevents implementing any retry logic in my application.