Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
394 views

AD LDAP_FILTER_ERROR on query.


Hi!
I'm having problem with destination querys with two matching values,
i.e. multivalue attributes.
When the query is transformed into a ldap filter, the OR statement is
ended with a square bracket.

(&(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=customer,DC=intra)(objectClass=group))(|(cn=Orgunit_Thn_Trh_Me_Users_All)(cn=Orgunit_GBG_ELY_Users_ALL)*}*)

If the square bracket is changed to a bracket, then the query will
return two objects in a regular ldap query outside IDM..

This has been seen before in a previous 'post'
(http://tinyurl.com/l5tgzwj):

It might be a bug that crept in? Someone who can help me to confirm it?

Thanks
//Magnus


Code:
--------------------
DirXML: [02/17/14 14:15:12.23]: Loader: Calling subscriptionShim->execute()
DirXML: [02/17/14 14:15:12.23]: Loader: XML Document:
DirXML: [02/17/14 14:15:12.23]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query-ex class-name="group" event-id="0" max-result-count="1" scope="subtree">
<search-class class-name="group"/>
<search-attr attr-name="cn">
<value naming="true" timestamp="1357041125#30" type="string">Orgunit_Thn_Trh_Me_Users_All</value>
<value timestamp="1384514008#1" type="string">Orgunit_GBG_ELY_Users_ALL</value>
</search-attr>
<read-attr attr-name="cn"/>
</query-ex>
</input>
</nds>
DirXML: [02/17/14 14:15:12.23]: ADDriver: parse command

className group
destDN
eventId 0
association
DirXML: [02/17/14 14:15:12.23]: ADDriver: query-ex new
DirXML: [02/17/14 14:15:12.23]: ADDriver: query constraints
DirXML: [02/17/14 14:15:12.23]: ADDriver: search-class group
DirXML: [02/17/14 14:15:12.23]: ADDriver: search-attr cn
DirXML: [02/17/14 14:15:12.23]: ADDriver: Orgunit_Thn_Trh_Me_Users_All
DirXML: [02/17/14 14:15:12.23]: ADDriver: Orgunit_GBG_ELY_Users_ALL
DirXML: [02/17/14 14:15:12.23]: ADDriver: query
base DN: DC=customer,DC=intra,
filter: (&(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=customer,DC=intra)(objectClass=group))(|(cn=Orgunit_Thn_Trh_Me_Users_All)(cn=Orgunit_GBG_ELY_Users_ALL)}),
return: (attribute values) objectClass, objectGUID, cn,
DirXML: [02/17/14 14:15:12.23]: ADDriver: query
base DN: DC=customer,DC=intra,
filter: (&(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=customer,DC=intra)(objectClass=group))(|(cn=Orgunit_Thn_Trh_Me_Users_All)(cn=Orgunit_GBG_ELY_Users_ALL)}),
return: (attribute values) objectClass, objectGUID, cn,
DirXML: [02/17/14 14:15:12.23]: ADDriver: ldap get next page ( 1)
DirXML: [02/17/14 14:15:12.23]: Loader: subscriptionShim->execute() returned:
DirXML: [02/17/14 14:15:12.23]: Loader: XML Document:
DirXML: [02/17/14 14:15:12.23]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.0.3" asn1id="" build="20131219_120000" instance="\META\System\Services\Idm\DriverSet1\customer_intra">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="0">
<message>Error getting next page of search results</message>
<ldap-err ldap-rc="87" ldap-rc-name="LDAP_FILTER_ERROR">
<client-err ldap-rc="87" ldap-rc-name="LDAP_FILTER_ERROR">Filter Error</client-err>
</ldap-err>
</status>
</output>
</nds>
--------------------


--
magnus
------------------------------------------------------------------------
magnus's Profile: https://forums.netiq.com/member.php?userid=283
View this thread: https://forums.netiq.com/showthread.php?t=50045

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD LDAP_FILTER_ERROR on query.

magnus wrote:

>
> When the query is transformed into a ldap filter, the OR statement is
> ended with a square bracket.
>
> (&(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=customer,DC=intra)(objectClass=group))(|(cn=Orgunit_Thn_Trh_Me_Users_All)(cn=Orgunit_GBG_ELY_Users_ALL)*}*)
>
> If the square bracket is changed to a bracket, then the query will
> return two objects in a regular ldap query outside IDM..
>
> This has been seen before in a previous 'post'
> (http://tinyurl.com/l5tgzwj):
>
> It might be a bug that crept in? Someone who can help me to confirm it?


This has already been reported as a bug - 854970.

If you require this fixed now, I'd suggest you open a service request and quote the bug number above.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD LDAP_FILTER_ERROR on query.


Thanks for the information! Since I can not see bugzilla. Has the bug
been known for a long time?
The previous forum post stated IDM 3.6.1 ...


--
magnus
------------------------------------------------------------------------
magnus's Profile: https://forums.netiq.com/member.php?userid=283
View this thread: https://forums.netiq.com/showthread.php?t=50045

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD LDAP_FILTER_ERROR on query.

magnus wrote:

>
> Thanks for the information! Since I can not see bugzilla. Has the bug
> been known for a long time?


No, it was only raised 3 months ago (approx)

> The previous forum post stated IDM 3.6.1 ...


Are you able to verify/confirm that the issue still exists with the latest public Engine + AD driver shim?
..
I could see from your trace that your engine patch level is the latest, but there was no mention of your AD driver shim version (and this is clearly a driver shim issue)

There have been several query related bug fixes in the recent 4.0.0.x driver shim releases, so it would be great to rule out that this bug wasn't fixed as part of those changes.

Finally - as I mentioned, there's no guarantee of a timeframe for this fix (even with a bug raised).
So if this is impacting you now and you need it fixed quickly - raise a SR, quote the bug.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD LDAP_FILTER_ERROR on query.


Its the latest, Addriver.dll has version 4.0.0.3 - 20131219

I'll see if I can find a workaround in the code, otherwise I open an
SR.

Thank you
/Magnus


--
magnus
------------------------------------------------------------------------
magnus's Profile: https://forums.netiq.com/member.php?userid=283
View this thread: https://forums.netiq.com/showthread.php?t=50045

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.