Return
-
Title
Cannot perform OR (|) LDAP query with custom attributes -
Description
When using a Include by Query rule on a Dynamic Group with OR (|) operations that contain virutal attributes, no results appear.
You might experience the same issue when using LDAP filters that combine built-in and custom virtual attributes using OR (|)operator in PowerShell scripts.
-
Cause
This is a by-design limitation of ActiveRoles Server.
-
Resolution
If you are getting the "is not a valid LDAP filter" error message when querying AD by virtual attributes, check the following:Check your LDAP filter for matching brackets. Any open bracket "(" should have a corresponding closing one ")".If you mix real AD attributes with stored virtual attributes in one query, and you also mix "& and "|" in one query, make sure your filter combines real and virtual attributes only by "&". This is the design limitation of ActiveRoles Server. If you need to execute a query like this (search AD for users that has either edsvaCustomStoredVA set to Value1 or extensionAttribute1 set to Value2):(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))Or, in more readable form:(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))Then you can "open" the "|" condition brackets:(|(&(objectClass=User) (edsvaCustomStoredVA=Value1))(&(objectClass=User) (extensionAttribute1=Value2)))Note: There is a simple rule for this kind of transformations. You can treat the "&" as multiply "*", and "|" as addition "+" operation in mathematics and use the basic rules you learned at school.So that:(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))becomes(*(objectClass=User)(+(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))which becomes((objectClass=User) * ((edsvaCustomStoredVA=Value1) + (extensionAttribute1=Value2)))which can be transformed to( ((objectClass=User) * (edsvaCustomStoredVA=Value1)) + ((objectClass=User) * (extensionAttribute1=Value2)) )and back to LDAP(|(&(objectClass=User)(edsvaCustomStoredVA=Value1))(&(objectClass=User)(extensionAttribute1=Value2))) -
Change Request
TF00199629