ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Wrong syntax of LDAP search filter

book

Article ID: 53772

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Customer is getting "Wrong syntax of LDAP search filter" error in the smps.log after adding a search filter in the Policy for user authorization. Everything seems to work fine but there are some errors found in the log.

The error message that appear in the smps.log as below sample:
[ERROR] CSmDsLdapProvider::SearchCount(): Wrong syntax of LDAP search filter: (& (givenname=loadtest)(uid=testuser*))

Even though there is error message found in log, however, the users are still correctly authorized.

Solution:

If you look carefully, the search filter has a *space* in between the line. "(&*space*(givenname=loadtest)(uid=testuser*))"

Although the search is succeeded, but SiteMinder has a pre-filter doing sanity check before sending to the LDAP server.

If there are spaces in the search filter, you will see error in the smps.log with the exact search string. For example:
(&(givenname=loadtest)(uid=testuser*))
(&(givenname=loadtest)(uid=testuser*))
(&(givenname=loadtest)(uid=testuser*))
(&(givenname=loadtest)(uid=testuser*))
(&(givenname=loadtest)(uid=testuser*))

However, the default behaviour is sending the request to the LDAP server so the users are correctly authorized.

The behaviour of the LDAP Search Filter Checker can also be adjusted in order to avoid the error message from appearing in the SMPS.log. This can be done by configuring the "EnableSearchFilterCheck" registry key as follows:

This Registry Key should be created in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Add the key "EnableSearchFilterCheck=x; REG_DWORD", where "x" is the value of "0", "1", or a value greater than 1, depending on the behavior desired.

EnableSearchFilterCheck=x (where "x" is a value > 1) Impose check on Filter to comply with RFC and block the search call if it does not comply with RFC. [Error message printed in log and Search call is blocked]

EnableSearchFilterCheck=0 No Filter check for Search calls

EnableSearchFilterCheck=1 ( *If no registry key is present this is the default behaviour ) Impose check on Filter to comply with RFC But no impact on Search calls. [Only error message is printed in smps.log. But Search is allowed with the filter]

Environment

Release:
Component: SMPLC