Ldap sync fails when there are special characters in distinguished names.
For example if there was a user with the distinguished name of OU=test/test,OU=users,DC=EXAMPLE,DC=COM and that user was a member of a synced group, then the lookup of the user using the membership attribute in the group would fail due to the special character.
The error would look something like
Update the library versionf for Spring LDAP
- org.springframework.security/spring-security-ldap to 4.0.4.RELEASE
- org.springframework.ldap/spring-ldap-core to 2.0.4.RELEASE
Then use LdapUtils.newLdapName to convert a String representing a DN into a javax.naming.ldap.LdapName and use that object in the search facility executed in org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator#getFilteredLdapUsers(java.lang.String, org.springframework.ldap.filter.Filter).