search cancel

Siteminder 6.x is reporting a "Wrong syntax of LDAP search filter" in the SMPS.log


Article ID: 52672


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



In the SMPS log of Siteminder 6.x we see the reporting of "Wrong syntax of LDAP search filter" for the following valid search filter:

(& (objectcategory=person) (objectclass=user) )

The following error message is displayed in the SMPS.log that corresponds to this search filter:
[SmDsLdapProvider.cpp:2143][ERROR] CSmDsLdapProvider::SearchCount(): Wrong syntax of LDAP search filter: (& (objectcategory=person) (objectclass=user) )

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on


The error message is displayed in the SMPS.log due to the additional "white space" in the syntax of the search filter:

(& (objectcategory=person) (objectclass=user) )

If the search filter were defined without the additional "white space" as follows:


then the "Wrong syntax of LDAP search filter" message will not be displayed.

The behavior of the LDAP Search Filter Checker can also be adjusted in order to avoid the error message from appearing in the SMPS.log. This can be done by configuring the "EnableSearchFilterCheck" registry key (6.0 SP3 base and higher) as follows:

No Filter check for Search calls

EnableSearchFilterCheck=1 ( *If no registry key is present this is the default behavior )
Impose check on Filter to comply with RFC But no impact on Search calls.
[Only error message is printed in smps.log. But Search is allowed with the filter]

EnableSearchFilterCheck=x (where "x" is a value > 1)
Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC.
[Error message printed in log and Search call is blocked]

This Registry Key should be created in the following location;


Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired.


Component: SMPLC