Open briandignan opened 8 years ago
In general, you should not create search filters by constructing their string representations. Instead, you should programmatically construct them from their individual components. In the case of the filter you have listed, instead of trying to construct its string representation, you should build it like:
Filter filter = Filter.createANDFilter(
Filter.createEqualityFilter("objectClass", "group"),
Filter.createEqualityFilter("member", userEntry.getDN()));
Using this approach instead of concatenating strings provides several benefits, including:
And for the record, the correct way to escape a comma in a search filter is with "\5c,". That is, you escape the backslash as "\5c" and leave the comma alone. So the correct string representation of the filter you're trying to use is:
(&(objectClass=group)(member=cn=Smith\5c, James K.,ou=West,dc=MyDomain,dc=com))
The syntax for escaping filters is different from the syntax for escaping DNs. I didn't write the specs, but that's the way it is.
And although it's not applicable in this case, if you're not sure how to properly escape a DN, you can also programmatically construct a DN and have the LDAP SDK do all of the escaping for you. The code to create the DN listed above would be:
DN dn = new DN(
new RDN("cn", "Smith, James K."),
new RDN("ou", "West"),
new RDN("dc", "MyDomain"),
new RDN("dc", "com"));
Thank you Neil! That worked.
Some of our Active Directory accounts have commas in the CN field. For example:
Smith, James K.
When I query the distinguishedName (which contains the CN) for this account, it returns this:
cn=Smith\, James K.,ou=West,dc=MyDomain,dc=com
.However, if I try to use this string to construct a new filter for a subsequent query the groups that the account is a member of:
(&(objectClass=group)(member=cn=Smith\, James K.,ou=West,dc=MyDomain,dc=com))
Filter.readEscapedHexString throws an exception:
It works when I modify the first switch statement in Filer.readEscapedHexString to contain this:
But I don't know the code well to determine if this would create other bugs. Do you know if there are any other ways around this problem?