Certificate Mapping Problems following upgrade : Encoding LDAP search filter (Legacy_Onyx KB Id: 263432)

Document ID : KB000054941
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

We are using v6 SP5 CR012 policyserver and facing problems with certificate mappings.

Mapping expression used:
------------------------------
*)(employeeNumber=%{UID}*

LDAP User DN Lookup:
Start (&(uid=
End: ))

Search expression in the LDAP:
-----------------------------------
CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (&(uid=*\29\28employeeNumber=10224418))

Solution:

SiteMinder provides LDAP search filter checking functionality that parses LDAP search filters to ensure that they comply with the LDAP standard (RFC).

Previously, this Filter Checker was always enabled and could cause complex search queries that used LDAP characters (such as backslash "\") not permitted in the LDAP standard but allowed in specific LDAP implementations to fail.

Additionally, complex user disambiguation filters in which a portion of a search query was placed in the username portion of an expression would fail because the filter checker automatically quoted all parentheses that appeared to be part of a username to prevent LDAP errors caused by unbalanced parentheses.

The LDAP search filter checker is disabled by default and uses a more intelligent algorithm that prevents inadvertent quoting of parentheses that form part of the search expression. To enable the LDAP search filter checker, create and supply a non-zero value to the following System Registry Variable.

EnableSearchFilterCheck registry
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\Ds\LDAPProvider\EnableSearchFilterCheck