[CentOS] sssd ldap_user_search_base filters with '#' characters in names

Fri Nov 16 21:57:37 UTC 2018
James Pearson <james-p at moving-picture.com>

James Pearson wrote:
> I'm trying to craft an ldap search filter for use with
> ldap_user_search_base in sssd.conf which is using Actice Directory (AD)
> as the back end on CentOS 7 clients
> The filter looks for users that are memberOf a particular group -
> however, the group name start with a '#' character - i.e. in AD, the
> group name is listed as something like '#ABC XYZ'
> But when I set ldap_user_search_base to something like:
>    ldap_user_search_base =
> OU=Users,DC=Example,DC=com?subtree?(memberOf=CN=#ABC
> XYZ,OU=Groups,DC=Example,DC=com)
> then 'getent passwd user' fails to return anything (for 'user' that is
> in that group)
> However, when using the above syntax with a group name that doesn't
> start with a '#' character, then things work as expected
> When I use ldapsearch, it reports that the user is a memberOf:
>    memberOf: CN=\#ABC XYZ,OU=Groups,DC=Example,DC=com
> But using the '\' in sssd.conf for the search filter cause sssd to error
> with 'Invalid search filter' in the logs
> Escaping the Escape ('\\') also gives 'Invalid search filter'
> Does anyone know how to 'escape' special characters in search filters in
> sssd.conf ?

After going round in circles for a while - I managed to get this working

Turns out you can use the hexadecimal code for characters in an LDAP 
filter/search path/whatever - which is escaped via '\' followed by 2 
hexadecimal characters - so the following works:

  memberOf: CN=\5C#ABC XYZ,OU=Groups,DC=Example,DC=com

i.e. 5C is the character code for '\'

This also explains why I was getting 'Invalid search filter' previously, 
as my use of '\' was followed by invalid hexadecimal characters ...

James Pearson