LDAP FilterUtils should allow balanced parenthesis in filter values

[xweskingx]

When using a filter with balanced parenthesis, the FilterUtils throws a FilterParseException with "Assertion contains unescaped characters".

For example: (&(objectClass=group)(|(name=My Group (1))(name=My Group (2))

Where the name of the groups are "My Group (1)" and "My Group (2)", this is technically valid according to https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx#Special_Characters

To be safe one should probably escape the characters regardless, but is a change in behavior from version 1.2

[dhawes]

Based on RFC 4515, that's incorrect:

https://tools.ietf.org/search/rfc4515

   The <valueencoding> rule ensures that the entire filter string is a
   valid UTF-8 string and provides that the octets that represent the
   ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
   0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
   backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
   representing the value of the encoded octet.

Escaping parens is the correct thing to do.

[xweskingx]

Understood that it is more correct to escape the parenthesis.

I wanted to make sure to document the change in behavior here from version 1 of ldaptive, where a balanced parenthesis in the value does not throw an exception, and returns valid results from an ldap search.

Anyone running into the issue should be sure to use the FilterUtils#escape on each value if parsing the filter from a string.

[dfish3r]

If you're using FilterTemplate parameters should be escaped appropriately. Which API are you using? There may be something we do to improve it.