000022073 - Error: 'Bad search filter' when adding entitlement to RSA ClearTrust user

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022073
Applies ToRSA ClearTrust 5.5.3
Microsoft Active Directory
IssueError: "Bad search filter" when adding entitlement to RSA ClearTrust user
On adding an entitlement to a user in the Entitlements Manager, user receives RC_TRANSPORT_ERROR. The entitlements server log shows "Bad search filter (89); Bad parameter to an LDAP method".
CauseThe user's CN attribute contains a comma (e.g. the DN for the user is "cn=doe, john, cn=Users, dc=domain, dc=com"). Commas are a delimiter in a DN, so the comma in the CN attribute can be escaped with a backslash (e.g., cn=doe\, john). This causes the parsing of the DN to fail.
ResolutionSince RSA ClearTrust 5.5.3, there is a parameter .enable_special_chars in the ldap.conf file that handles this situation:

# Enables RSA ClearTrust to handle users whose CN attribute contains comma
# characters. This situation may occur in certain Active Directory
# environments.
# Allowed Values:
# true | false
# Default Value:
# false
#cleartrust.data.ldap.enable_special_chars :true

Uncomment the parameter, ensure it is set to true, and restart the RSA ClearTrust Authorization server and Entitlements server.
Legacy Article IDa26677