LDAP distinguished names
Distinguished names (DNs) are used to uniquely identify entries in an LDAP or X.500 directory. DNs are user-oriented strings, typically used whenever you must add, modify, or delete an entry in a directory by using the LDAP programming interface, and when you use the LDAP utilities ldapmodify, ldapsearch, ldapmodrdn, and ldapdelete.
To know more about the syntax and usage of the command-line utilities, see the Command Reference section of IBM® Security Directory Suite documentation.
A DN is typically composed of an ordered set of attribute type or attribute value pairs. Most DNs
are composed of pairs in the following order:
common name (cn)
organization (o) or organizational unit (ou)
country (c)
The following string-type attributes represent the set of standardized attribute types for
accessing an LDAP directory. A DN can be composed of attributes with an LDAP syntax of Directory
String, including the following ones:
CN - CommonName
L - LocalityName
ST - StateOrProvinceName
O - OrganizationName
OU - OrganizationalUnitName
C - CountryName
STREET - StreetAddress
Informal definition
This notation is convenient for common forms of name. Most DNs begin with
CommonName
(CN)
, and progress up the naming tree of the directory. Typically, as you read from left to
right, each component of the name represents increasingly larger groupings of entries, ending with
CountryName (C)
. Remember that sequence is important. For example, the following
two DNs do not identify the same entry in the directory:
CN=wiley coyote, O=acme, O=anvils, C=US
CN=wiley coyote, O=anvils, O=acme, C=US
Some examples follow. The author of RFC 2253, "UTF-8 String Representation of Distinguished
Names" is specified as:
CN=Steve Kille, O=ISODE Consortium, C=GB
Another
name might be: CN=Christian Huitema, O=INRIA, C=FR
A semicolon (;) can be
used as an alternative separator. The separators might be mixed, but this usage is discouraged.
CN=Christian Huitema; O=INRIA; C=FR
Here is an example of a multi-valued Relative Distinguished Name, where the namespace is flat
within an organization, and department is used to disambiguate certain names:
OU=Sales + CN=J. Smith, O=Widget Inc., C=US
The final examples show both
methods of entering a comma in an Organization name:
CN=L. Eagle, O="Sue, Grabbit and Runn", C=GB
CN=L. Eagle, O=Sue, Grabbit and Runn, C=GB
Formal definition
For a formal, and complete, definition of Distinguished Names that can be used with the LDAP interfaces, see "RFC 2253, UTF-8 String Representation of Distinguished Names".