The characters "\5c" are inserted into search filter resulting in a failed search.

book

Article ID: 37700

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

A user certificate, for example issued to CN=Smith, John, has a backslash in it used to escape the comma. So the certificate actually reads literally "CN=Smith\, John". This is correct per RFC 2459 and RFC 2253; commas must be escaped in DNs because the comma is used as a delimiter. The LDAP/Active Directory server also has a corresponding backslash character in the user DN.

Environment:

All SiteMinder 12.x versions with Active Directory as the user store.

Cause:

By default, the SiteMinder Policy Server finds the backslash in the certificate CN - which is actually being used to escape a comma - and converts it to \5c (5c is hex for ASCII backslash). In this case, this behavior is undesirable and must be turned off if you want to match CNs that contain literal commas.

Resolution:

The registry value HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\Ds\LDAPProvider\EnableSearchFilterCheck controls this behavior.  It is enabled by default.  To stop the Policy Server from performing the conversion disable this registry key. 

Below is more information regarding EnableSearchFilterCheck

EnableSearchFilterCheck=x (where "x" is a value > 1) 

Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC. [Error message will be printed in log and Search call is blocked] 

This Registry Key should be created in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider 

 Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired. 

 

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: