Per the request of CR 6916202 and the ldap standards, JNDI implementation tightened the checking of LDAP filters according to LDAP standards. However, some applications have used an illegal object identifier in LDAP filters that contain an underscore ("_") for many releases and years. For better compatibility, we'd better support the improper character.

The original e-mail that requests to address the compatibility:

"DIP provisioning functionality for version 3 profiles is broken after uptake of JDK update 21 (JDK6_MAIN_LINUX_100622.1.6.0.21.B06). The issue is due to a fix made by JNDI team in update 21 (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6916202). They have basically included some additional checks for some invalid search filters.

The issue now that we are hitting is that, whenever we issue a search query with attribute/subtype containing "underscore"( _ ), JNDI throws invalid filter exception. This was working fine till update 20 and only after uptake of update 21, we are hitting this.

       Sample filter: (orcluserapplnprovstatus;EMAIL_email=PROVISIONING_FAILURE)

Since we are using EMAIL_email in the subtype part (containing underscore), JNDI now throws InvalidFilterException and provisioning functionality is broken. I searched the RFCs but could not find any reference mentioning "underscore" is invalid in the subtype part in the search filter. So, not sure why this check is introduced now.
Also, the back-end server is not complaining anything and we have
using this type of searches for quite a few releases. I tried in DSEE also and
DSEE also allows to add attributes with underscore in subtypes.

This has a serious impact for DIP and needs to be addressed ASAP. The issue is easily reproducible with any search filter containing  underscore in the subtype part.

Can you please route/escalate this appropriately so that we can try to get the fix quickly?"