JON is not retrieving LDAP groups (or throws javax.naming.directory.InvalidSearchFilterException) when Group Search Filter contains parentheses

Solution Verified - Updated

Environment

  • Red Hat JBoss Operations Network (ON)
    • 2.4.x
    • 3.0.x
    • 3.1.x
  • LDAP Group Search Filter contains parenthesis, examples:
  (objectclass=groupOfUniqueNames)

  (&(objectclass=Group)(name=London*))

Issue

  • No groups are available in role definition page
  • LDAP groups are not being retrieved
  • potentially an exception is thrown:
org.rhq.enterprise.server.exception.LdapFilterException:The ldap group filter defined is invalid  invalid attribute description

and/or

[org.rhq.enterprise.server.resource.group.LdapGroupManagerBean] The ldap group filter defined is invalid
javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=jbossuk,dc=redhat,dc=com'
        at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
        at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
        at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
        ...
  • I see a red error box saying Failed to load LDAP groups available for role on the Role Definition Screen

Resolution

The Group Search Filter needs to be specified without parentheses. Examples:

  objectclass=groupOfUniqueNames

  &(objectclass=Group)(name=London*)

This content is not included.Bug 652800[1] has been filed to request ability to specify parentheses in the property value.

[1] This content is not included.https://bugzilla.redhat.com/show_bug.cgi?id=652800

Root Cause

JON will add brackets to the supplied group filter.
So

   (objectclass=groupOfUniqueNames)

becomes

   ((objectclass=groupOfUniqueNames))

Older versions of Java, example 1.6.0_15 would silently fail to retrieve any groups, but would not return an error.

Newer versions of Java, tested with 1.6.0_45 and 1.7.0_17 will detect this filter is invalid and throw the InvalidSearchFilterException

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.