My ldap queries from Java aren't returning any group objects when my filter is about a member contained in the groups. These queries work using other tools, like ldp
or the Active Directory Users and Group tab. But in java they return nothing:
Options: scope=subtree, requested attributes={"sAMAccountName"}
Search base: OU=Groups,DC=blah
Filter: (member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah)
// no results
However, I can successfully query the other way round:
Options: scope=subtree, requested attributes={"member"}
Search base: OU=Groups,DC=blah
Filter: (&)
// returns Admins group, member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah
So specifically, the issue is I can't seem to filter on (member={0})
or unless I'm also using scope=base
. But I need a subtree
search that returns groups.
What could be the problem? What can I ask the admins to check?
The correct escaping for DNs within ldap query filters should be according to RFC 2254. You need to handle backslash, asterisk, brackets/parentheses, and NUL.
For example, from the Apache Tomcat source of JNDIRealm.java
:
protected String doRFC2254Encoding(String inString) {
StringBuilder buf = new StringBuilder(inString.length());
for (int i = 0; i < inString.length(); i++) {
char c = inString.charAt(i);
switch (c) {
case '\\':
buf.append("\\5c");
break;
case '*':
buf.append("\\2a");
break;
case '(':
buf.append("\\28");
break;
case ')':
buf.append("\\29");
break;
case '\0':
buf.append("\\00");
break;
default:
buf.append(c);
break;
}
}
return buf.toString();
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.