I am looking for some clarification on interpreting RFC2253.

I have a MS CA that publishes the following record to Active Directory ...

dn: CN=User \\\,X Root,CN=Users,DC=whatever,DC=com
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: User \,X Root
countryCode: 0
displayName: User \,X Root
givenName: User \, X
instanceType: 4
lastLogoff: 0
lastLogon: 0
logonCount: 0
distinguishedName: CN=User \\\,X Root,CN=Users,DC=whatever,DC=com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=whatever,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectGUID:: resVu6bT+0KyLbIZmoHw6g==
primaryGroupID: 513
pwdLastSet: 127221054390156250
name: User \,X Root
sAMAccountName: userx
sAMAccountType: 805306368
sn: Root
userAccountControl: 66048
userPrincipalName: userx@whatever.com
uSNChanged: 118592
uSNCreated: 104250
whenChanged: 20040301163439.0Z
whenCreated: 20040210142147.0Z

The DN of the certificate is CN=User \,X Root,CN=Users,DC=whatever,DC=com

My questions have to do with escaping the "\" and ",". Looking at the DN: and distinguishedName: entries it appears that they are escaped according to the RFC. If I added a new attribute called "userDN" and I wanted it to contain the dn string of the certificate how should it appear in the user record ...

1)userDN: CN=User \,X Root, CN=Users, DC=whatever, DC=com


2) userDN: CN=User \\\,X Root, CN=Users, DC=whatever, DC=com

I am manually entering the dn string (vs pulling it from the ASN.1). If 1) is true can I assume that the special characters need to be escaped only when pulling the certificate dn from the ASN.1? If 2) is true can I assume that any\all attributes that contain a dn string with special characters need to be escaped?

I am aware the string can be encapsulated so I'm all set there. What I really need to know is if a dn string needs to be escaped (or encapsulated) regardless of what attribute type is present. In the example above the dn string inside "distinguishedName:" is escaped. I need to know if this was to comply with the RFC or out of convenience since it was populated as part of publishing the certificate. Also, I now have to add a new attribute called "userDN:" and I wish for it to contain the dn string of the certificate. Since I am not publishing a certificate I am forced to enter the string manually. According to the RFC does the string have to be escaped (or encapsulated) or can it be left "as is"?

I have an urgent need for this information so a quick response would be greatly appreciated. Thanks in advance.