Active Directory entries often has backslash to escape comma(',') or space(' ') in user DN. IdRepo layer would fail to issue search request if search filter contains any special characters defined in RFC2254.
1. setup openAM to use Active Directory to use datasource
2. create user with common name "testfirst00 testlast00" and UID "testuser00" in Active Directory
3. create a group called "testgroup00" and assign a user created in step 2 to this group
4. login to openAM admin console
5. click [Access Control] -> select realm -> [Subject] -> click "testuser00"
5-repro). you will see this user doesn't belong to any group although it should
we should escape special search filter chars.