The characters "\5c" are inserted into search filter resulting in a failed search.
search cancel

The characters "\5c" are inserted into search filter resulting in a failed search.


Article ID: 37700


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



A user certificate, for example issued to CN=Lastname, Firstname, has a backslash in it used to escape the comma. So the certificate actually reads literally "CN=Lastname\, Firstname". This is correct per RFC 2459 and RFC 2253; commas must be escaped in DNs because the comma is used as a delimiter. The LDAP/Active Directory server also has a corresponding backslash character in the user DN.




All SiteMinder 12.x versions with Active Directory as the user store.


By default, the SiteMinder Policy Server finds the backslash in the certificate CN - which is actually being used to escape a comma - and converts it to \5c (5c is hex for ASCII backslash). In this case, this behavior is undesirable and must be turned off if you want to match CNs that contain literal commas.


The registry value HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\Ds\LDAPProvider\EnableSearchFilterCheck controls this behavior.  It is enabled by default.  To stop the Policy Server from performing the conversion disable this registry key. 

Below is more information regarding EnableSearchFilterCheck

EnableSearchFilterCheck=x (where "x" is a value > 1) 

Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC. [Error message will be printed in log and Search call is blocked] 

This Registry Key should be created in the following location:


 Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired.