If you are getting the "is not a valid LDAP filter" error message when querying AD by virtual attributes, check the following:
Check your LDAP filter for matching brackets. Any open bracket "(" should have a corresponding closing one ")".
If you mix real AD attributes with stored virtual attributes in one query, and you also mix "& and "|" in one query, make sure your filter combines real and virtual attributes only by "&". This is the design limitation of ActiveRoles Server. If you need to execute a query like this (search AD for users that has either edsvaCustomStoredVA set to Value1 or extensionAttribute1 set to Value2):
(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))
Or, in more readable form:
(&
(objectClass=User)
(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2))
)
Then you can "open" the "|" condition brackets:
(|
(&(objectClass=User) (edsvaCustomStoredVA=Value1))
(&(objectClass=User) (extensionAttribute1=Value2))
)
Note: There is a simple rule for this kind of transformations. You can treat the "&" as multiply "*", and "|" as addition "+" operation in mathematics and use the basic rules you learned at school.
So that:
(&(objectClass=User)(|(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))
becomes
(*(objectClass=User)(+(edsvaCustomStoredVA=Value1)(extensionAttribute1=Value2)))
which becomes
((objectClass=User) * ((edsvaCustomStoredVA=Value1) + (extensionAttribute1=Value2)))
which can be transformed to
( ((objectClass=User) * (edsvaCustomStoredVA=Value1)) + ((objectClass=User) * (extensionAttribute1=Value2)) )
and back to LDAP
(|(&(objectClass=User)(edsvaCustomStoredVA=Value1))(&(objectClass=User)(extensionAttribute1=Value2)))