LO88664: DOMINO LDAP DOESN'T RETURN ANY RESULTS FOR SPECIFIC COMPLEX FILTERS.

APAR status

• Closed as fixed if next.

Error description

• Domino LDAP doesn't return any results for specific complex
  filters.
  Failing search filter :
  (&(&(!(mail=*.lt))(!(cn=wasadmin)))(mail=iuser1@fr.ibm.com))
  
  While with an extra OR the search filter succeeds :
  (&(|(&(!(mail=*.lt))(!(cn=wasadmin))))(mail=iuser1@fr.ibm.com))
  
  
  
  The following complex type of LDAP search against a Domino LDAP
  (reproduced with the latest Domino 901 build) will fail to find
  the user :
  
  ldapsearch -h <ldap server hostname> -D <admin user> -w <admin
  pw>
  "(&(&(!(mail=*.lt))(!(cn=wasadmin)))(mail=iuser1@fr.ibm.com))"
  cn sn mail
  
  
  while a slightly different complex structure will be
  successfull :
  ldapsearch -h <ldap server hostname> -D <admin user> -w <admin
  pw>
  "(&(|(&(!(mail=*.lt))(!(cn=wasadmin))))(mail=iuser1@fr.ibm.com))
  " cn sn mail
  
  
  With the 1st complex filter, the Domino LDAP doesn't seem to
  know which
  view to search.  Debug returns the following  :
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP> ***** Start
  search request processing *****
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     Scope:
  SUBTREE
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     Dereference
  Aliases: 0
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     TimeLimit: 15
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     SizeLimit: 0
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     Attributes to
  return:
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>             cn
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>             mail
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>             sn
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     Base:
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP>     Filter:
  
  (&(&(!(mail=*.lt))(!(cn=wasadmin)))(mail=iuser1@fr.ibm.com))
  
  [0F28:0054-0664] 05/04/2016 16:05:11,08 LDAP> *** Searching in
  database C:\IBM\Domino\data\names.nsf ...
  
  [0F28:0054-0664] 05/04/2016 16:05:11,09 LDAP>   Type of search:
  View Search
  
  [0F28:0054-0664] 05/04/2016 16:05:11,09 LDAP> GetSearchEntry
  State
  [0F28:0054-0664] 05/04/2016 16:05:11,09 LDAP> Search State
  
  [0F28:0054-0664] 05/04/2016 16:05:11,09 LDAP> ***** Count of
  search entries returned (total): 0 *****
  
  
  The code does enter the "View Search" section (as expected),
  but it seems that no view is searched at all and therefore no
  results.
  
  
  The ini LDAP_COMPLEX_FILTER=1 doesn't change the behavior. As
  soon as the searchfilter contains the double AND, no view is
  searched.
  
  These complex filters are created by the Websphere search &
  authentication api's.  The Websphere search api creates the
  filter with the double "&" which fails, the auth api creates
  the filter with the additional "|" which is successful.
  Websphere dev stated this is working as designed and as it
  doesn't cause any issue for other LDAP Directory types, we need
  to identify why Domino LDAP doesn't search any view index when
  the filter is preceded by the double "&".  Logically there is
  no difference, so it should work.
  

Local fix

Problem summary

• This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

Problem conclusion

Temporary fix

Comments

• This APAR is associated with SPR# RSTNA92D6E.
  This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• R901 PSN

     UP