Ldap_search(): Search: Bad search filter - while filtering for groups

Hi there,

Operating system: Linux 5.15.0-52-generic #58-Ubuntu SMP Thu Oct 13 08:03:55 UTC 2022 x86_64

Webserver: nginx/1.18.0 (fpm-fcgi)

Database: pgsql PostgreSQL 15.0 (Ubuntu 15.0-1.pgdg22.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, 64-bit

PHP version: 8.1.2

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, Reflection, SPL, session, standard, sodium, cgi-fcgi, mysqlnd, PDO, xml, apcu, bcmath, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, ldap, exif, mysqli, pdo_mysql, pdo_pgsql, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, ssh2, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 25.0.0 -

I’m running a fresh Nextcloud instance and want to test how to hook it to a FreeIPA server via LDAP. Basic setup went fine and I can see all my groups and users in NC Administration. Group folders and permissions based on LDAP groups are working. Nested group memberships do also work as expected. I add a user to the lowest group for his team or task. Each group is then member of the next higher level group.

Now I wish to reduce the number of groups shown in the different Apps to the ones I need to work with. Basically in my test setup I first want to exclude two groups for the available

g_ is a general LDAP group to hold all user and group objects in the organization
g_staff are all internal staff members

g_nc is the group I use to give general access to Nextcloud → used in User FIlter of the LDAP connector. The group g_staff is member of g_nc

From here I divide my organization into resorts, then teams

g_adm => administrative
g_adm_fin => finances
g_adm_hr = you get it

g_ops => operations
g_ops_sales => you get it

Problem Detail

my LDAP search filter for groups to use in NC was:


and it listed all groups starting with g_ as expected.

I wish to remove the particular groups g_ and g_nc from the list of available groups and created a new filter string like


and expected to see all g_* groups but not g_nc or g_. I tested this filter string (and the one above) in Ldapadmin against my whole directory and both returned exactly the result I was expecting.

But in NC only the upper filter string works, the second one throws ldap_search() errors.

Any idea wat ldap_search() might not like about my search string?

Thanks & best regards,

The output of your Nextcloud log in Admin > Logging:

PHP	Error: ldap_search(): Search: Bad search filter at /home/user/domain/public_html/apps/user_ldap/lib/LDAP.php#306
/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 208:



OCA\User_LDAP\LDAP->OCA\User_LDAP\{closure}("*** sensiti ... *")



/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 306:


/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 213:

OCA\User_LDAP\LDAP->invokeLDAPMethod("*** sensiti ... *")



/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1060:


/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1063:

OCA\User_LDAP\Access->OCA\User_LDAP\{closure}("*** sensiti ... *")

/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1121:

OCA\User_LDAP\Access->invokeLDAPMethod("*** sensiti ... *")

/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1221:


/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1016:


/home/user/domain/public_html/apps/user_ldap/lib/Wizard.php - line 111:


/home/user/domain/public_html/apps/user_ldap/lib/Wizard.php - line 133:


/home/user/domain/public_html/apps/user_ldap/ajax/wizard.php - line 96:


/home/user/domain/public_html/lib/private/Route/Route.php - line 155:

require_once("/home/user ... p")


OC\Route\Route->OC\Route\{closure}("*** sensiti ... *")

/home/user/domain/public_html/lib/private/Route/Router.php - line 306:


/home/user/domain/public_html/lib/base.php - line 1047:


/home/user/domain/public_html/index.php - line 36: