-
Bug
-
Resolution: Not a bug
-
Medium
-
1.1.1
-
None
This bug was submitted through http://support.atlassian.com and was confirmed:
When I go to the Principals page to search for a user (i.e. "stephen tang"), I noticed the Crowd log shows something like this:
14:33:21,366 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing search: baseDN = OU=Studios,dc=company,dc=com - filter = (&(sAMAccountName=john doe)(objectClass=person))
When I try to put something more complicated into the User Object Filter field, like:
(&(&(objectClass=user)(objectClass=organizationalPerson))(!objectClass=computer))), Crowd complains that the parentheses are unbalanced. The log shows:
15:39:08,346 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing principal search: baseDN = ou=Users, ou=Studios,OU=Studios,dc=company,dc=com - filter = (&(sAMAccountName=john doe)(&(&(objectClass=user)(objectClass=organizationalPerson))(!objectClass=computer)))
Which results in the following error:
Invalid search filter; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; ...
[CWD-506] LDAP fitlering only supports one fitler.
David O'Flynn [Atlassian]
added a comment - Incomplete LDAP syntax resulted in error that looked like a bug.
David O'Flynn [Atlassian]
added a comment - Incomplete LDAP syntax resulted in error that looked like a bug. David O'Flynn [Atlassian]
added a comment - Hi Stephen,
The example you provided (see 1, below) is not a valid LDAP query. LDAP is addicted to brackets, so to make the query valid, you need to separate the negation operator and the objectClass=computer with another set of brackets (see 2, below). I've verified that Crowd operates correctly with the syntax from the second example, when run against Microsoft Active Directory 2000.
You can verify this yourself using a product such as Apache Directory Studio to manually enter query syntax.
1: (&(&(objectClass=user)(objectClass=organizationalPerson))(!objectClass=computer)))
2: (&(&(objectClass=user)(objectClass=organizationalPerson))(!(objectClass=computer))))
I hope this resolves your issue and allows you to successfully complete your evaluation of Crowd 
dave.
David O'Flynn [Atlassian]
added a comment - Hi Stephen,
The example you provided (see 1, below) is not a valid LDAP query. LDAP is addicted to brackets, so to make the query valid, you need to separate the negation operator and the objectClass=computer with another set of brackets (see 2, below). I've verified that Crowd operates correctly with the syntax from the second example, when run against Microsoft Active Directory 2000.
You can verify this yourself using a product such as Apache Directory Studio to manually enter query syntax.
1: (&(&(objectClass=user)(objectClass=organizationalPerson))(!objectClass=computer)))
2: (&(&(objectClass=user)(objectClass=organizationalPerson))(!(objectClass=computer))))
I hope this resolves your issue and allows you to successfully complete your evaluation of Crowd
dave. 
Stephen Tang
added a comment - Hello,
I originally raised this issue about the filter bug. I am commenting that we still are interested in resolving this bug, so we can evaluate it in our environment. My company has great interest in a SSO solution, but this bug made it difficult to go any further with the evaluation.
--Stephen
Stephen Tang
added a comment - Hello,
I originally raised this issue about the filter bug. I am commenting that we still are interested in resolving this bug, so we can evaluate it in our environment. My company has great interest in a SSO solution, but this bug made it difficult to go any further with the evaluation.
--Stephen 
Hi David,
I'll pass this along to my team and consult the IT dept. Obviously, we don't enough about LDAP, and probably should have consulted the IT dept. first.
Thank you for verifying the LDAP syntax.
--Stephen