000037482 - Unbalanced parenthesis error using the userAccountControl attribute in the Active Directory/LDAP Account Search Filter of an ADC in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 6, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037482
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 6.9.1, 7.x
IssueWhen using the userAccountControl attribute in the Account Search Filter of the Account Data Collector definition for Active Directory and LDAP Account Data Collectors in RSA Identity Governance & Lifecycle, the following error occurs when testing the filter:
 
javax.naming.directory.InvalidSearchFilerException:Unbalanced parenthesis;
remaning name 'OU=vcloud Users,DC=2k8r2-vcloud,DC=local'

 


User-added image
CauseThe syntax is incorrect. 
ResolutionThe userAccountControl Attribute requires an extra set of parentheses surrounding it. These are showin below in red. 

Modify the reference to the userAccountControl attribute in the Account Search Filter definition:
 
  • Change from (!userAccountControl:1.2.840.11.1.4.802:=2)
  • Change to (!(userAccountControl:1.2.840.11.1.4.802:=2))

Note the extra set of parentheses that are required after the exclamation point and the attribute name, and also to end the string.



In the above example this would look like:
  • Change from

(&(objectCategory=person)(objectClass=user)(!userAcountControl:1.2.840.11.1.4.802:=2)(sAMAccountName=*))


 


  • Change to:

(&(objectCategory=person)(objectClass=user)(!(userAcountControl:1.2.840.11.1.4.802:=2))(sAMAccountName=*))

Attachments

    Outcomes