"Bad request Error getting groups for user [user name] Unbalanced parenthesis - Unbalanced parenthesis" when importing an LDAP user into VMware Cloud Director
Article ID: 325528
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- When importing an LDAP user, the following error is seen in the Cloud director UI:
Bad request Error getting groups for user [user name] Unbalanced parenthesis - Unbalanced parenthesis
- Within /opt/vmware/vcloud-director/logs/vcloud-container-debug.log, we see a stack trace similar to:
com.vmware.ssdc.backendbase.ldap.LdapSyncException: LDAP_SYNC_ERROR
at com.vmware.ssdc.backendbase.usermanagement.LdapSyncHelper$2.run(LdapSyncHelper.java:109)
at com.vmware.ssdc.backendbase.usermanagement.LdapSyncHelper$2.run(LdapSyncHelper.java:103)
...
Caused by: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name ' dc=XXX,dc=XXX'
at java.naming/com.sun.jndi.ldap.Filter.findRightParen(Filter.java:694)
at java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:656)
at com.vmware.ssdc.backendbase.usermanagement.LdapSyncHelper$2.run(LdapSyncHelper.java:109)
at com.vmware.ssdc.backendbase.usermanagement.LdapSyncHelper$2.run(LdapSyncHelper.java:103)
...
Caused by: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name ' dc=XXX,dc=XXX'
at java.naming/com.sun.jndi.ldap.Filter.findRightParen(Filter.java:694)
at java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:656)
Environment
VMware Cloud Director 10.x
Cause
This issue occurs due to objects in LDAP containing a parenthesis character in its name which is not closed.
For example:
CN=ExampleUser(,CN=Users,DC=example,DC=com
Resolution
This is a known issue affecting VMware Cloud Director 10.4.2 and below.
The issue is resolved in VMware Cloud Director 10.5, available at VMware Downloads.
If you cannot upgrade to VMware Cloud Director 10.5, please use the workaround specified in the Workaround section below.
Workaround:
The issue is resolved in VMware Cloud Director 10.5, available at VMware Downloads.
If you cannot upgrade to VMware Cloud Director 10.5, please use the workaround specified in the Workaround section below.
Workaround:
- Use locally created users in Cloud Director until an upgrade to 10.5 is possible: Create a User in Your VMware Cloud Director Tenant Portal.
- Locate in the LDAP server the objects that contain an open parenthesis character, recreate the LDAP object without the parenthesis or such that the parenthesis is not left open. This may require that the User or Group is removed and re-added to Cloud Director to facilitate the change. More information on managing LDAP users and Groups is available here in the documentation on Managing Users, Groups and Roles in VMware Cloud Director.
NOTE: Cloud Director Appliance Cells include ldapsearch which can be used to search the specific LDAP instance for objects with containing parenthesis. An example command could be like the following:
ldapsearch -x -b "dc=example,dc=com" -H ldap://ldap.example.com:389 -D "<LDAP_ADMIN>" -w <LDAP_PASSWORD> "(cn=*\(*)"
Feedback
Yes
No
Powered by
