LDAP Distinguished Names
DN stands for Distinguished Name in LDAP-speak
- A dn indicates what record to view in an LDAP tree
- Your base dn is the topmost dn of your tree
dc=base | +---------+----------+ | | dc=sub1 dc=sub2 | | +----+-----+ +---+----+ | | | | ou=dept1 ou=dept2 u=dept1 ou=dep2
- In this case the base dn is '
- other dn's in this tree are
ou=dept1,dc=sub1,dc=base' and '
- A base dn may contain more than one part. For example, instead of
dc=basewe could have
dc=base,dc=netas the base dn
- Some LDAP applications will allow you to use an arbitrary dn as a base dn. This allows you to use a single ldap tree to host, say, a dns server, authentication, and an addressbook with a single server
- In the tree above you could use
dc=sub1,dc=baseto host dns and
ou=dept1,dc=sub2,dc=baseto host a departmental addressbook
A Distinguished Name Is A Container
From the above you might think that a distinguished name is just a pointer to where you are in the LDAP tree. This is not in fact the case; a distinguished is also a container. Every distinguished name has many fields. The primary field is the one used as the distinguished name.
ou=dept1,dc=sub1,dc=base, the primary field is
ou: The organzational unit
A full record might look like:
dn: ou=dept1,dc=sub1,dc=base objectClass: top objectClass: organizationalUnit ou: dept1