Assistance Needed – LDAP Group Lookup with Special Characters in Name

igorbellezi1 · July 24, 2025, 3:28pm

Hello,

I’m currently working on aggregating users from an Active Directory source. However, I’m encountering issues when querying a group whose name contains a “+” character.
This seems to be interfering with the search.

Below are the configuration settings I’m using (note: values shown are syntactically similar but not real):

Search DN:
DC=domain,dc=com

LDAP Search Filter
(& (objectCategory=user)(memberOf=CN=IGOR + BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA (AAA),DC=domain,DC=com))

Group Membership Search DN:
DC=domain,dc=com

Group Membership Search Filter
(&(objectCategory=group)(|(cn=IGOR + BELLEZI Read))

Attempts made so far:

cn=IGOR + BELLEZI Read
cn=IGOR +\ BELLEZI Read

Also, using the Windows Group pre-windows_2000 name
IGOR_BELLEZI

None of these attempts returned any users:

Interestingly, executing the PowerShell command below does work and retrieves group members as expected:

Get-ADGroupMember -Identity “IGOR_BELLEZI” | Select-Object Name, SamAccountName | Export-Csv -Path “C:\TEMP\GrupoAD.csv” -NoTypeInformation

For reference, the group’s distinguished name from AD is:

CN=IGOR + BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA (AAA),DC=domain,DC=com

Does anyone have suggestions or best practices for retrieving users from a group with this naming syntax via LDAP?

Thank you in advance!

Igor Bellezi

asharma65 · July 24, 2025, 3:53pm

Hello @igorbellezi1

Hi Welcome to Sailpoint Developer Community for posting use case.

You can escape the “+” and Other Special Characters in LDAP Filter as given below:-

(& (objectCategory=user)(memberOf=CN=IGOR \2b BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA (AAA),DC=domain,DC=com))

Group Membership Search Filter
(&(objectCategory=group)(|(cn=IGOR \2b BELLEZI Read))

memberOf search filter:


(&(objectCategory=group)(|(cn=IGOR \2b BELLEZI Read))

Also: If the () characters in OU=AAA (AAA) cause issues, escape them as well:

( → \28
) → \29

igorbellezi1 · July 24, 2025, 4:24pm

Hello @asharma65

Thanks for the technical advice. Unfortunately it did not work.

Funny thing is, the entitlement is found in another source I have (not the users on it) and it is brought like that:

CN=IGOR \+ BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA (AAA),DC=domain,DC=com

I tried:
CN=IGOR \\2b BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA (AAA),DC=domain,DC=com

and also:

CN=IGOR \\2b BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA \28\29,DC=domain,DC=com

But this () signals may not be the issue, because in other aggregations they appers this way and users are retrivied.

Any other tip?

udayputta · July 24, 2025, 7:08pm

Can you try this new LDAP Filter

(&(objectCategory=user)(memberOf=CN=IGOR \2b BELLEZI Read,OU=XXXX,OU=YYYYYY,OU=ZZZZ,OU=WWWW,OU=AAA \28AAA\29,DC=domain,DC=com))

and your group search to this

(&(objectCategory=group)(|(cn=IGOR \2b BELLEZI Read)))

j_place · July 24, 2025, 7:09pm

Hi @igorbellezi you seem to have unbalanced number of parentheses in your group search filter. What’s the “|” for?

igorbellezi1 · July 24, 2025, 7:15pm

Hey @j_place I will try to remove it to test it. Maybe cause in the other lpad search filter, I had more groups and forgot to remove it.

igorbellezi1 · July 24, 2025, 7:28pm

Hey @udayputta , did the same and unfortunately, returns no users.

igorbellezi1 · July 24, 2025, 9:37pm

Just to let you guys know, I was able to retrieve the users, doing the following:
For both searches, the syntax must be this:

(&(objectCategory=group)(|(cn=IGOR \5c\2b BELLEZI Read))

Because there was a backslash before the +

\5c = backslash (**) and \2b = plus sign (+**)

I appreciate all your support !

Regards!

Igor Bellezi

asharma65 · July 25, 2025, 4:37am

@igorbellezi1 Great this was helpful for you