Tivoli Access Manager for e-business, Version 6.1

Using valid characters for Active Directory user, group, and distinguished names

This section describes how to specify valid characters for Active Directory user names, group names, and distinguished names (DNs). In version 6.0, Tivoli Access Manager added support to handle special characters for DNs, (as described in RFC 1779 and RFC 2253).

Attention: If you upgraded the policy server to Tivoli Access Manager, version 6.0, but did not upgrade the blade servers, you can create and import users containing special characters. However, these users cannot authenticate at the Tivoli Access Manager blade level (version 3.9, 4.1, or 5.1).

User and group names

Active Directory user and group names can contain all Unicode characters except for the following characters:

If you use special characters when using the pdadmin utility, enclose each argument of the user or group command with double quotation marks. The double quotation marks allow the argument to be entered without being subject to interpretation by the operating system shell command processor.

Due to the variability of special character handling in general, avoid using special characters.

User and group distinguished names

There are special characters that are not allowed in a distinguished name (DN) unless the character is preceded by an additional escape character or is encoded in hexadecimal. To encode in hexadecimal, replace the character with a backward slash (\) followed by two hexadecimal digits.

The following characters must be escaped using the backward slash (\) character before being used in a distinguished name:

Due to differences in registries and command shell processors, avoid using the backward slash character (\) in distinguished names. For more information, see "Characters disallowed for distinguished names" in Appendix A of the IBM Tivoli Access Manager for e-business: Command Reference.

For other reserved characters, such as an equal sign (=), asterisk (*), or a non UTF-8 character, the character must be encoded in hexadecimal.

Example 1
To create a user with a DN that contains a comma next to the separator:
pdadmin sec_master> user create "johndoe" 
"cn=doe\,john,cn=users,dc=mydomain,dc=com" John Doe password1
Example 2
To create a user with a DN that contains a carriage return, which is a reserved character:
pdadmin sec_master> user create "johndoe" 
"cn=doe\ODJohn,cn=users,dc=mydomain,dc=com" John Doe password1
The hexadecimal representation of a carriage return is 0D.
Example 3
To create a user with a distinguished name that contains a number sign:
pdadmin sec_master>user create "#pounduser" 
"cn=\#pounduser,cn=users,dc=mydomain,dc=com" "#pound" "user"


[ Top of Page | Previous Page | Next Page | Contents | Index ]