Event ID 2000 is noted in the Active Roles Event Viewer logs for one or more Dynamic Groups:
The LDAP filter specified in the Custom Search | Advanced section of a Membership Rule query is incorrectly formatted.
The LDAP parser used in the Active Roles Console and the LDAP parser used by the Active Roles Administration Service are not the same.
The parser used in the Active Roles Console will ASSUME if a user specifies more than one attribute that the & (AND) operator should be used when executing the query.
The LDAP standard specifies that all LDAP queries of more than one attribute require the explicit inclusion of an operator. For more information, see Active Directory: LDAP Syntax Filters
The Active Roles Administration Service has a stricter parser and requires that LDAP operators be specified. This is by design.
Correct any custom LDAP queries specified so that they explicitly include an operator.
INCORRECT: (description=*)(employeeNumber=*)
CORRECT: (&(description=*)(employeeNumber=*))
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center