DN escaping rules
Understand the distinguished name (DN) characters and how to use them.
A DN can contain special characters. These characters are , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " " (quotation marks).
To escape these special characters or other characters in an attribute
value in a DN string, use any the following methods:
- Method 1: If a character to be escaped is one of special characters, precede it by a backslash
(\ ASCII 92). This example shows a method of escaping a comma in an
organization name:
This is the preferred method.CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB - Method 2: Otherwise replace the character to be escaped by a backslash and two hex digits, which
form a single byte in the code of the character. The code of the character must be in
UTF-8 code set.
CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB - Method 3: Surround the entire attribute value by " " (quotation marks) (ASCII
34) that are not part of the value. Between the quotation character pair, all characters are
taken as is, except for the \ (backslash). The \ (backslash)
can be used to escape a backslash (ASCII 92) or quotation marks (ASCII 34), any of the special
characters previously mentioned, or hex pairs as in method 2. For example, to escape the
quotation marks in cn=xyz"qrs"abc, it becomes
cn=xyz\"qrs\"abc or to escape a \:
Another example, "\Zoo" is illegal, because 'Z' cannot be escaped in this context."you need to escape a single backslash this way \\"
On the server end, when a DN is received in this form, the server reformats the DN using escape mechanisms number 1 and 2 for internal processing.