active-directoryldaprfcdistinguishedname

RFC 2253 - Lightweight Directory Access Protocol (v3)

I'm using the following: https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/util/DN.html in my application.

For the creation of the DN object, I need to put dnString, that must adhere to the syntax described in RFC 2253.

My DN contains: "\" and "," characters (also "\," both right after each other).

I could not find any site that explains exactly how to get a valid DN for RFC 2253. I found:

https://ldapwiki.com/wiki/RFC%202253

https://www.rfc-editor.org/rfc/pdfrfc/rfc2253.txt.pdf

Both mention that "," and "\" are special characters, but none states how to escape it correctly.

How can I get the valid DN with these values?

Solution

  • Page 4 of RFC 2253:

    If a character to be escaped is one of the list shown above, then it is prefixed by a backslash (’\’ ASCII 92).

    So an escaped comma should be \, and an escaped backslash should be \\.

    A comma is a separator in a DN. For example:

    cn=admin,ou=marketing,o=corporation

    so it needs to be escaped only when it is not used as a separator, like this:

    cn=Smith\, John,ou=marketing,o=corporation

    Active Directory will escape it for you if you create an object with a CN that has a comma.

    The backslash is a special character because it's used to escape other characters. So if you are not using it for that purpose, it needs to be escaped using itself:

    cn=North\\South America,ou=marketing,o=corporation

    Although in that example I'd use a forward slash ("North/South America"), which brings up another point (unrelated to your immediate problem, but worth mentioning): the forward slash is not a special character in DNs, but they are in LDAP paths. So if you had a DN like this:

    cn=North/South America,ou=marketing,o=corporation

    Then if you need to use that in an LDAP path, you can't just drop that in:

    LDAP://cn=North/South America,ou=marketing,o=corporation

    because / is a separator character, so it would think that the DN is just cn=North. In those cases, you need to escape that with a backslash too:

    LDAP://cn=North\/South America,ou=marketing,o=corporation

    But only when you use it in an LDAP path.