Core issue
This problem occurs due to the presence of Cisco bug ID CSCeg60140.
Special character encoding in CiscoSecure ACS for Windows Lightweight Directory Access Protocol (LDAP) v3 search queries does not meet the RFC standards.
The String Representation of LDAP Search Filters indicates that search strings using certain special characters must be encoded with the backslash (\) character followed by the two hexadecimal digits that represent the ASCII value of the encoded character. For example, a \ must be \5c and a ( must be \28. The logs indicate that this encoding does not happen, as shown:
AUTH 12/07/2004 15:33:16 I 0360 0992 External DB [DServDll.dll]: Start
search operation...
AUTH 12/07/2004 15:33:16 I 0360 0992 External DB [DServDll.dll]: Search ou=memberlist, ou=ibmgroups, o=ibm.com for groups using: (&objectclass=GroupOfUniqueNames)(UniqueMember=uid=6589+5897,c=us,ou=bluepages,o=ibm.com)) result 0
The \ in the user ID must be encoded as \5c in order to meet RFC standards. The search string must appear as shown:
(&(objectclass=GroupOfUniqueNames)(UniqueMember=uid=6589\5c+5897,c=us,ou =bluepages,o=ibm.com))
This issue is seen with Cisco Secure ACS for Windows version 3.3.2.
Resolution
As a workaround, upgrade to Cisco Secure ACS for Windows version 3.3.3.
Features & Tasks
ACS database