July 27th, 2004, 12:40 PM
Question on RFC2253 interpretation
I am looking for some clarification on interpreting RFC2253.
I have a MS CA that publishes the following record to Active Directory ...
dn: CN=User \\\,X Root,CN=Users,DC=whatever,DC=com
cn: User \,X Root
displayName: User \,X Root
givenName: User \, X
distinguishedName: CN=User \\\,X Root,CN=Users,DC=whatever,DC=com
name: User \,X Root
The DN of the certificate is CN=User \,X Root,CN=Users,DC=whatever,DC=com
My questions have to do with escaping the "\" and ",". Looking at the DN: and distinguishedName: entries it appears that they are escaped according to the RFC. If I added a new attribute called "userDN" and I wanted it to contain the dn string of the certificate how should it appear in the user record ...
1)userDN: CN=User \,X Root, CN=Users, DC=whatever, DC=com
2) userDN: CN=User \\\,X Root, CN=Users, DC=whatever, DC=com
I am manually entering the dn string (vs pulling it from the ASN.1). If 1) is true can I assume that the special characters need to be escaped only when pulling the certificate dn from the ASN.1? If 2) is true can I assume that any\all attributes that contain a dn string with special characters need to be escaped?
I am aware the string can be encapsulated so I'm all set there. What I really need to know is if a dn string needs to be escaped (or encapsulated) regardless of what attribute type is present. In the example above the dn string inside "distinguishedName:" is escaped. I need to know if this was to comply with the RFC or out of convenience since it was populated as part of publishing the certificate. Also, I now have to add a new attribute called "userDN:" and I wish for it to contain the dn string of the certificate. Since I am not publishing a certificate I am forced to enter the string manually. According to the RFC does the string have to be escaped (or encapsulated) or can it be left "as is"?
I have an urgent need for this information so a quick response would be greatly appreciated. Thanks in advance.