LDAP query invalid characters

Question

I'm getting stuck with formatting an LDAP query against my AD. It appears that the '+' character is messing up my life.

the following query works fine for me:

//C# AD lookup

DirectoryEntry group = new DirectoryEntry(
    "LDAP://mydomain/CN=group name that works,OU=Groups,DC=myDomain,DC=us");

but when I attempt to look up a group that has the '+' character in it:

//C# AD Lookup failure with '+' in CN

DirectoryEntry group = new DirectoryEntry(
    "LDAP://mydomain/CN=name+ thatFails,OU=Groups,DC=myDomain,DC=us");

I get a 'Invalid dn syntax has been specified' exception.

I've passed a bunch of valid group names with all sorts of 'special' chars suchas '_' and '&' which work. it appears that the '+' character is what is causing my grief. how do I format my CN correctly to make my query valid?

EDIT

as suggested, I escaped the '+' char. This unfortunately did not help. below is my current ldap format:

LDAP://mydomain/cn=_bigGroup\+ management office,OU=Groups,DC=myDomain,DC=us

Mike Marshall · Accepted Answer

Apparently you need to escape some characters with a backslash, see the list here

Update:

The backslash does in fact work. I created a new user object with cn='Escape+Test' in my local ADAM instance (hosted on port 9389). I wrote a small Windows Forms program with the following code:

using (DirectoryEntry entry = new DirectoryEntry("LDAP://localhost:9389/CN=Escape\+Test,OU=MyUsers Users,DC=TEST,DC=LOCAL", "test", "xxxx", AuthenticationTypes.None))
{
     MessageBox.Show(entry.Properties["cn"][0].ToString());
}

The program displayed "Escape+Test" when I ran it.

Notice the double backslashes to represent an actual backslash and not an escape character. I would expect the same behavior on a full AD domain.

Just as a sanity check I replaced the backslash with %2B as mentioned by another answer and when I did I got a "no such object on the server" error when trying to access the entry's properties.

LDAP query invalid characters

Answers (2)

Related Questions