Escaping Distinguished Name


Escaping Distinguished Names is described in RFC 4514

Generally, depending on the LDAP Client and the context, Escaping Distinguished Name is required for the following characters:

  • SPACE (' ') (U+0020)
  • DQUOTE (") (U+0022)
  • SHARP (#) (U+0023)
  • PLUS (+) (U+002B)
  • COMMA (,) (U+002C)
  • SEMI (;) (U+003B)
  • LANGLE (<) (U+003C)
  • EQUALS (=) (U+003D)
  • RANGLE (>) (U+003E)
  • backslash (\) (U+005C)
Any of the above "special characters" can be escaped in an Attribute Value. To escape these special characters or other characters in an Attribute Value in a DN string, use the methods below.

Preferred method#

This is preferred method as it appears to be the most reliable across LDAP Client implementations. If a character to be escaped is one of the special characters, precede it by a backslash ('\' ASCII 92). This example shows a method of escaping a comma in an organization name:
CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
This is the preferred method.

Replace with backslash and two hex digits#

Replace the character to be escaped by a backslash and two hex digits, which form a single byte in the code of the character. The code of the character must be in UTF-8 code set.
CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB

Surround with "DQUOTE"#

Surround the entire attribute value by "" (quotation marks) (ASCII 34), that are not part of the value. Between the quotation character pair, all characters are taken as is, except for the \ (backslash). The \ (backslash) can be used to escape a backslash (ASCII 92) or quotation marks (ASCII 34), any of the special characters previously mentioned, or hex pairs as in method 2. For example, to escape the quotation marks in cn=xyz"qrs"abc, it becomes cn=xyz\"qrs\"abc or to escape a \: "you need to escape a single backslash this way
" Another example, "\Zoo" is illegal, because 'Z' cannot be escaped in this context.

More Information#

There might be more information for this subject on one of the following: