Question:
We are trying to implement the following LDAP filter to an existing
partnership: (&(uid=*)(userRoles=MYROLE;MYROLE_USER))
But it seems this one doesn't work. How should we configure this ?
Answer:
The semicolon is used to separate multiple DNs in a search query, but
it does not apply in a LDAP filter. This should be done differently.
Please, check the "Filter Any" example 2 on the following document:
User Identification for a Partnership
https://docops.ca.com/ca-single-sign-on/12-6-01/en/configuring/partnership-federation/user-identification-for-a-partnership
For this and more information on the LDAP filters, you can check:
https://www.ldap.com/ldap-filters
https://docs.ldap.com/specs/rfc4515.txt
Apply extensible match filters to identify that the user has both
roles
KB : KB000099441