The LdapSecurityRealm when configured to search for filtered attributes (attributes that are result of another ldap query) can return duplicated entries. The main reason is this line. The ldap realm uses an ArrayList to store the attributes if there is no role recursion, but there are several situations that, without role recursion, the returned attribute can be the same:

1. Several roles have the same CN attribute at different levels. For example cn=role1,ou=engineering,dc=sample,dc=com and cn=role1,ou=sales,dc=sample,dc=com. If the mapping is configured to use the CN both names would be the same and role1 would be duplicated.
2. If using another attribute that can be duplicated. Imagine the attribute to use is the businessCategory of the group. We want to retrieve the different types of groups the user has assigned instead of the group name itself. And there are several roles in the same businesscategory. The results are duplicated.
3. If the dir-context is following referrals and roles are duplicated between the servers.
4. ...

There is no big problem with this, the result just contains duplicated entries, for example [value1, value2, value1, value1] which is very similar to [value1, value2] but not the same. This duplication is generating some issues in other test suites so better if a set is always used to maintain the returned attributes.