The characters "\5c" are inserted into search filter resulting in a failed search.
search cancel

The characters "\5c" are inserted into search filter resulting in a failed search.

book

Article ID: 37700

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

A user certificate, for example issued to CN=Lastname, Firstname, has a backslash in it used to escape the comma. So the certificate actually reads literally "CN=Lastname\, Firstname". This is correct per RFC 2459 and RFC 2253; commas must be escaped in DNs because the comma is used as a delimiter. The LDAP/Active Directory server also has a corresponding backslash character in the user DN.

 

 

Environment

All SiteMinder 12.x versions with Active Directory as the user store.

Cause

By default, the SiteMinder Policy Server finds the backslash in the certificate CN - which is actually being used to escape a comma - and converts it to \5c (5c is hex for ASCII backslash). In this case, this behavior is undesirable and must be turned off if you want to match CNs that contain literal commas.

Resolution

The registry value HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\Ds\LDAPProvider\EnableSearchFilterCheck controls this behavior.  It is enabled by default.  To stop the Policy Server from performing the conversion disable this registry key. 

Below is more information regarding EnableSearchFilterCheck

EnableSearchFilterCheck=x (where "x" is a value > 1) 

Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC. [Error message will be printed in log and Search call is blocked] 

This Registry Key should be created in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider 

 Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired.