Characters disallowed for Microsoft Active Directory distinguished names
If Microsoft Active Directory is the user registry, certain special characters are not allowed in a distinguished name (DN). However, if the character is preceded by an additional escape character or is encoded in hexadecimal, then, it is allowed in a DN.
To encode in hexadecimal, replace the character with a backward slash (\) followed by two hexadecimal digits. The following characters must be escaped using the backward slash (\) character before they are used in a distinguished name:
- Number sign (#) at the beginning of the string
- A space at the end of the string
- Comma (,)
- Double quotation (")
- Left angle bracket (<)
- Plus sign (+)
- Right angle bracket (>)
- Semicolon (;)
Because of differences in registries and command shell processors, avoid the backward slash (\) character in distinguished names. For other reserved characters, such as an equal sign (=), asterisk (*), or a non-UTF-8 character, the character must be encoded in hexadecimal.
- Example 1
- To create a user with a distinguished name that contains a comma next to the separator:
pdadmin sec_master> user create "johndoe" "cn=doe\,john,cn=users,dc=mydomain,dc=com" John Doe password1- Example 2
- To create a user with a distinguished name that contains a carriage return, which is a reserved character:
pdadmin sec_master> user create "johndoe" "cn=doe\ODJohn,cn=users,dc=mydomain,dc=com" John Doe password1The hexadecimal representation of a carriage return is 0D.- Example 3
- To create a user with a distinguished name that contains a number sign (#):
pdadmin sec_master>user create "#pounduser" "cn=\#pounduser,cn=users,dc=mydomain,dc=com" "#pound" "user" password1
Parent topic: Characters disallowed for distinguished names