Issue
LDAP Exception: The search filter is invalid. ErrorCode: 87, ServerMessage: '' LDAP to Contoso.net (10.0.0.91) for DC=Contoso,DC=net Request type: System.DirectoryServices.Protocols.SearchRequest (&(|)(objectClass=group)) : distinguishedName, objectGUID, cn, name, mail, mailNickname, samAccountName, displayName, objectSID, adminDescription User: testuser@contoso.net
Cause
This type of error message will be observed if custom Matching is configured in the DirSync Profile where the matching Source Attribute contain empty value. This can happen if the attribute defined in the Matching Setting can accept Empty Value in AD. Example ExtensionAttrbute, EmployeeID. Hence DirSync will not be able to construct a proper LDAP Search Filter in this case.
Solution
Create a Source LDAP Filter that will filter out these objects that do not have the attribute set and only include the objects that has the value set. Sample LDAP Filter, (EmployeeID=*). This LDAP filter will include objects that have the Employee ID Set.
