Suffix (naming context)

A suffix (also known as a naming context) is a DN that identifies the top entry in a locally held directory hierarchy.

Because of the relative naming scheme used in LDAP, this DN is also the suffix of every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy, for example, o=ibm,c=us.

The specific entry that matches the suffix must be added to the directory. The entry you create must use an objectclass that contains the naming attribute used. You can use the Web administration tool or the Qshell ldapadd utility to create the entry corresponding to this suffix.

Conceptually, there is a global LDAP name space. In the global LDAP name space, you might see DNs like:

  • cn=John Smith,ou=Rochester,o=IBM
  • cn=Jane Doe,o=My Company,c=US
  • cn=system administrator,dc=myco,dc=com

The suffix "o=IBM" tells the server that only the first DN is in a name space held by the server. Attempts to reference objects that are not within one of the suffixes result in a no such object error or a referral to another directory server.

A server can have multiple suffixes. The Directory Server has several predefined suffixes that hold data specific to our implementation:

  • cn=schema contains the LDAP accessible representation of the schema
  • cn=changelog holds the server change log, if enabled
  • cn=localhost contains non-replicated information that controls some aspects of the server operation, for example, replication configuration objects
  • cn=IBMpolicies contains information on server operation that is replicated
  • the "os400-sys=system-name.mydomain.com" suffix provides LDAP accessibility to IBM® i objects, currently limited to user profiles and groups

The Directory Server comes pre-configured with a default suffix, dc=system-name,dc=domain-name, to make it easier to get started with the server. There is no requirement that you use that suffix. You can add your own suffixes, and delete the pre-configured suffix.

There are two commonly used naming conventions for suffixes. One is based on the TCP/IP domain for your organization. The other is based on the organization's name and location.

For example, given a TCP/IP domain of mycompany.com, you might choose a suffix like dc=mycompany,dc=com, where the dc attribute refers to the domain component. In this case the top level entry you create in the directory might look like the following (using LDIF, a text file format for representing LDAP entries):

dn: dc=mycompany,dc=com
objectclass: domain
dc: mycompany

The domain objectclass also has some optional attributes you might want to use. View the schema or edit the entry you have created using the Web administration tool to see the additional attributes that you can use.

If your company name is My Company and it is located in the United States, you might chose a suffix like one of the following:

o=My Company
o=My Company,c=US
ou=Widget Division,o=My Company,c=US

Where ou is the name for the organizationalUnit objectclass, o is the organization name for the organization objectclass, and c is a standard two letter county abbreviation used to name the country object class. In this case the top level entry you create might look like:

dn: o=My Company,c=US
objectclass: organization
o: My Company

Applications that you use might require that specific suffixes be defined, or that a particular naming convention be used. For example, if your directory is used to manage digital certificates, you might be required to structure part of your directory so that entry names match the subject DNs of the certificates that it holds.

Entries to be added to the directory must have a suffix that matches the DN value, such as ou=Marketing,o=ibm,c=us. If a query contains a suffix that does not match any suffix configured for the local database, the query is referred to the LDAP server that is identified by the default referral. If no LDAP default referral is specified, an Object does not exist result is returned.