Valid characters for LDAP user and group names
We might use LDAP as the user registry. The set of valid characters allowed within a user or group name is determined by several Internet Engineering Task Force (IETF) Request for Comments (RFC).
Relevant RFCs include:
- 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
- 2254 The String Representation of LDAP Search Filters
The specific LDAP server can also dictate the validity of these characters. In general, we can use special characters within a distinguished name. However, certain special characters require an additional escape character. The following special characters must be escaped when used in a distinguished name:
- Plus sign (+)
- Semicolon (;)
- Comma (,)
- Backward slash (\)
- Double quote (")
- Less than (<)
- Greater than (>)
- Pound sign (#)
For example, to create a user that contains a semicolon with the pdadmin utility:
pdadmin> user create "user;one" "cn=user\;one,o=tivoli,c=us" "user;one" "user;one" password1Avoid the backward slash character (\) as part of a user or group name. For information, see "Characters disallowed for user and group name" in appendix A of the IBM Security Verify Access for Web: Command Reference.
If we use special characters with the pdadmin utility, enclose each argument of the user or group command with double quotation marks. The double quotation marks allow the argument to be entered without being subject to interpretation by the operating system shell command processor.
Due to the variability of special character handling in general, avoid the use of special characters.
Parent topic: LDAP-specific tasks