I'm trying to craft an ldap search filter for use with ldap_user_search_base in sssd.conf which is using Actice Directory (AD) as the back end on CentOS 7 clients The filter looks for users that are memberOf a particular group - however, the group name start with a '#' character - i.e. in AD, the group name is listed as something like '#ABC XYZ' But when I set ldap_user_search_base to something like: ldap_user_search_base = OU=Users,DC=Example,DC=com?subtree?(memberOf=CN=#ABC XYZ,OU=Groups,DC=Example,DC=com) then 'getent passwd user' fails to return anything (for 'user' that is in that group) However, when using the above syntax with a group name that doesn't start with a '#' character, then things work as expected When I use ldapsearch, it reports that the user is a memberOf: memberOf: CN=\#ABC XYZ,OU=Groups,DC=Example,DC=com But using the '\' in sssd.conf for the search filter cause sssd to error with 'Invalid search filter' in the logs Escaping the Escape ('\\') also gives 'Invalid search filter' Does anyone know how to 'escape' special characters in search filters in sssd.conf ? Thanks James Pearson _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos