Failing to find groups by member in Active Directory with java ldap

Question

My ldap queries from Java aren't returning any group objects when my filter is about a member contained in the groups. These queries work using other tools, like ldp or the Active Directory Users and Group tab. But in java they return nothing:

Options: scope=subtree, requested attributes={"sAMAccountName"}
Search base: OU=Groups,DC=blah
Filter: (member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah)
// no results

However, I can successfully query the other way round:

Options: scope=subtree, requested attributes={"member"}
Search base: OU=Groups,DC=blah
Filter: (&)
// returns Admins group, member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah

So specifically, the issue is I can't seem to filter on (member={0}) or unless I'm also using scope=base . But I need a subtree search that returns groups.

What could be the problem? What can I ask the admins to check?

Answer 1

The correct escaping for DNs within ldap query filters should be according to RFC 2254. You need to handle backslash, asterisk, brackets/parentheses, and NUL.

For example, from the Apache Tomcat source of JNDIRealm.java :

protected String doRFC2254Encoding(String inString) {
    StringBuilder buf = new StringBuilder(inString.length());
    for (int i = 0; i < inString.length(); i++) {
        char c = inString.charAt(i);
        switch (c) {
            case '\\':
                buf.append("\\5c");
                break;
            case '*':
                buf.append("\\2a");
                break;
            case '(':
                buf.append("\\28");
                break;
            case ')':
                buf.append("\\29");
                break;
            case '\0':
                buf.append("\\00");
                break;
            default:
                buf.append(c);
                break;
        }
    }
    return buf.toString();
}