Please explain the EnableSearchFilterCheck registry setting. How it works, what are values, etc.

Sometimes we see a message like this in the SMPS log but it doesn't appear to cause an issue.

[ERROR] CSmDsLdapProvider::SearchCount(): Wrong syntax of LDAP search filter: (& (givenname=<name>)(uid=<name>))

Policy Server 12.8 ANY

Various sources have slightly difference descriptions available as to how this setting works.

The EnableSearchFilterCheck checks special characters in LDAP search filters.

The full registry value is HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\Ds\LDAPProvider\EnableSearchFilterCheck

- Even if the registry key does not exist, the default value is 1 (enabled)

The expected values of this key are 

0 - Disabled - no check is done, and no error message appears in the log

1 - Enabled - this is the default setting, a check is done and an error message will appear in the log if there are non LDAP RFC compliant characters in the search filter

>1 - Enabled/blocking - Any valued greater than 1 enables the check, prints an error message if applicable, and blocks the search call.