Siteminder 6.x is reporting a "Wrong syntax of LDAP search filter" in the SMPS.log

book

Article ID: 52672

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

In the SMPS log of Siteminder 6.x we see the reporting of "Wrong syntax of LDAP search filter" for the following valid search filter:

(& (objectcategory=person) (objectclass=user) )

The following error message is displayed in the SMPS.log that corresponds to this search filter:
[SmDsLdapProvider.cpp:2143][ERROR] CSmDsLdapProvider::SearchCount(): Wrong syntax of LDAP search filter: (& (objectcategory=person) (objectclass=user) )

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

Solution:

The error message is displayed in the SMPS.log due to the additional "white space" in the syntax of the search filter:

(& (objectcategory=person) (objectclass=user) )

If the search filter were defined without the additional "white space" as follows:

(&(objectcategory=person)(objectclass=user))

then the "Wrong syntax of LDAP search filter" message will not be displayed.

The behavior of the LDAP Search Filter Checker can also be adjusted in order to avoid the error message from appearing in the SMPS.log. This can be done by configuring the "EnableSearchFilterCheck" registry key (6.0 SP3 base and higher) as follows:

EnableSearchFilterCheck=0
No Filter check for Search calls

EnableSearchFilterCheck=1 ( *If no registry key is present this is the default behavior )
Impose check on Filter to comply with RFC But no impact on Search calls.
[Only error message is printed in smps.log. But Search is allowed with the filter]

EnableSearchFilterCheck=x (where "x" is a value > 1)
Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC.
[Error message printed in log and Search call is blocked]

This Registry Key should be created in the following location;

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired.

Environment

Release:
Component: SMPLC