In our environment we use Active Directory, here's a sample ldif from our AD:
version: 1
dn: CN=Bills\, Noelle,OU=Users,OU=821 Quebec,DC=emjmetals,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
accountExpires: 0
cn: Bills, Noelle
displayName: Bills, Noelle
distinguishedName: CN=Bills\, Noelle,OU=Users,OU=821 Quebec,DC=emjmetals,DC=com
givenName: Noelle
memberOf: CN=821 Resume,OU=E-mail Distribution Lists,DC=emjmetals,DC=com
memberOf: CN=821 Quote Rqst,OU=E-mail Distribution Lists,DC=emjmetals,DC=com
memberOf: CN=Users,CN=Builtin,DC=emjmetals,DC=com
name: Bills, Noelle
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=emjmetals,DC=com
sAMAccountName: 1Bills
sn: Bills
We are able to resolve users using this filter:
(&(objectClass=user)(sAMAccountName=%s))
When we try to resolve the groups that the user belongs to we run into problems when using the filter:
(&(objectClass=group)(member=%d))
It works fine if we try a serviceaccount, which have a single word for their name, with no commas. But, when using a user that has commas in individual parameters of the dn we aren't able to get a match.
We've figured out why we can't resolve the groups, by writing a simple jse program that uses a directory context to do the user resolution and group resolution.
What we found is that it will match if we escape the slash in front of the comma as \5c, so to match the user from the sample ldif I would use the following filter:
(&(objectClass=group)(member=CN=Bills\5c, Noelle,OU=Users,OU=821 Quebec,DC=emjmetals,DC=com))
Does anyone know if there's a way to have glassfish escape slashes before matching the group-search-filter?
[Message sent by forum member 'johnatemj' (johnatemj)]
http://forums.java.net/jive/thread.jspa?messageID=220838