LDAP distinguished names

Edit online

Distinguished names (DNs) are used to uniquely identify entries in an LDAP or X.500 directory. DNs are user-oriented strings, typically used whenever you must add, modify, or delete an entry in a directory by using the LDAP programming interface, and when you use the LDAP utilities ldapmodify, ldapsearch, ldapmodrdn, and ldapdelete.

To know more about the syntax and usage of the command-line utilities, see the Command Reference section of IBM® Security Directory Suite documentation.

A DN is typically composed of an ordered set of attribute type or attribute value pairs. Most DNs are composed of pairs in the following order:
  • common name (cn)
  • organization (o) or organizational unit (ou)
  • country (c)
The following string-type attributes represent the set of standardized attribute types for accessing an LDAP directory. A DN can be composed of attributes with an LDAP syntax of Directory String, including the following ones:
  • CN - CommonName
  • L - LocalityName
  • ST - StateOrProvinceName
  • O - OrganizationName
  • OU - OrganizationalUnitName
  • C - CountryName
  • STREET - StreetAddress

Informal definition

This notation is convenient for common forms of name. Most DNs begin with CommonName (CN), and progress up the naming tree of the directory. Typically, as you read from left to right, each component of the name represents increasingly larger groupings of entries, ending with CountryName (C). Remember that sequence is important. For example, the following two DNs do not identify the same entry in the directory: 
   CN=wiley coyote, O=acme, O=anvils, C=US
  
   CN=wiley coyote, O=anvils, O=acme, C=US
Some examples follow. The author of RFC 2253, "UTF-8 String Representation of Distinguished Names" is specified as: 
   CN=Steve Kille, O=ISODE Consortium, C=GB
Another name might be: 
   CN=Christian Huitema, O=INRIA, C=FR
A semicolon (;) can be used as an alternative separator. The separators might be mixed, but this usage is discouraged. 
   CN=Christian Huitema; O=INRIA; C=FR
Here is an example of a multi-valued Relative Distinguished Name, where the namespace is flat within an organization, and department is used to disambiguate certain names: 
   OU=Sales + CN=J. Smith, O=Widget Inc., C=US
The final examples show both methods of entering a comma in an Organization name: 
   CN=L. Eagle, O="Sue, Grabbit and Runn", C=GB
  
   CN=L. Eagle, O=Sue, Grabbit and Runn, C=GB

Formal definition

For a formal, and complete, definition of Distinguished Names that can be used with the LDAP interfaces, see "RFC 2253, UTF-8 String Representation of Distinguished Names".