Cannot perform OR (|) LDAP query with custom attributes (4226086)

When using an Include by Query rule on a Dynamic Group with OR (|) operations that contain Virtual Attributes, no results appear.

You might experience the same issue when using LDAP filters that combine built-in and custom Virtual Attributes using OR (|) operator in PowerShell scripts.

This is a by-design limitation of Active Roles.

If you are getting a "is not a valid LDAP filter" error message when querying Active Directory by virtual attributes, check the following:

Check the LDAP filter for matching brackets. Any open bracket "(" should have a corresponding closing one ")".

If you mix real AD attributes with stored Virtual Attributes in one query, and you also mix "& and "|" in one query, ensure the filter combines real and virtual attributes only by "&". This is a design limitation of Active Roles. If you need to execute a query like this (search AD for users that has either edsvaCustomStoredVA set to Value1 or extensionAttribute1 set to Value2):

(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))

Or, in more readable form:

(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))

Then you can "open" the "|" condition brackets:

Note: There is a simple rule for this kind of transformation. You can treat the "&" as multiply "*", and "|" as addition "+" operation in mathematics and use those basic rules.

So that:

(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))

becomes

(*(objectClass=User)(+(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))

which becomes

((objectClass=User) * ((edsvaCustomStoredVA=Value1) + (extensionAttribute1=Value2)))

which can be transformed to

( ((objectClass=User) * (edsvaCustomStoredVA=Value1)) + ((objectClass=User) * (extensionAttribute1=Value2)) )

and back to LDAP

(|(&(objectClass=User)(edsvaCustomStoredVA=Value1))(&(objectClass=User)(extensionAttribute1=Value2)))