If I manually escape the parentheses surrounding "affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN \(affiliate\),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" The problem is that FreeIPA is performing this query when it searches (the parentheses are not escaped): ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" I don't know how to get FreeIPA to inject those escapes, and I have no control over the content of the certificates on the users' PIVs (smartcards). The smartcards are given to us by the DHS mothership :( I hope this makes our issue a little clearer. Shane _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
