The LDAP protocol and APIs use typed names to identify directory entries. In contrast, the Domain Name Service (DNS) uses untyped names to identify entries. Each directory entry is identifiable by its fully distinguished name. The distinguished name (DN) is constructed by concatenating the relative distinguished names (RDNs) of each entry in the directory hierarchy leading from the root of the namespace to the entry itself. This is identical to the X.500 naming model. With LDAP, however, a distinguished name is specified using a null-terminated character string instead of a complex set of nested arrays of XOM structures. Note that an RDN can consist of multiple attribute type/value pairs.

    c=US
    o=Acme International
    ou=Marketing+l=Virginia
    cn=Jane Doe

    cn=Jane Doe, ou=Marketing+l=Virginia, o=Acme International, c=US

An LDAP DN is specified as a null-terminated character string in a right-to-left fashion (right-to-left refers to the ordering of RDNs from highest to lowest in the directory hierarchy). Note that embedded spaces are taken as part of the attribute value for RDNs and do not require quotation marks. Also, note that RDNs are separated by commas (,) and attribute type/value pairs within an RDN are separated by plus (+) signs. (See RFC 2253: UTF-8 String Representation of Distinguished Names for more information.)