Distinguished names (DNs)
Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs, separated by commas, for example:
cn=Ben Gray,ou=editing,o=New York Times,c=US cn=Lucille White,ou=editing,o=New York Times,c=US cn=Tom Brown,ou=reporting,o=New York Times,c=USAny of the attributes defined in the directory schema, other than system or restricted attributes, may be used to make up a DN. The order of the component attribute value pairs is important. The DN contains one component for each level of the directory hierarchy from the root down to the level where the entry resides. LDAP DNs begin with the most specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent. In the examples above, the RDN "cn=Ben Gray" separates the first entry from the second entry, (with RDN "cn=Lucille White"). These two example DNs are otherwise equivalent. The attribute:value pair making up the RDN for an entry must also be present in the entry. (This is not true of the other components of the DN.)
Distinguished name syntax
The Distinguished Name (DN) syntax supported by this server is based on RFC 2253. The Backus-Naur Form (BNF) syntax is defined as follows:
<name> ::= <name-component> ( <spaced-separator> ) | <name-component> <spaced-separator> <name> <spaced-separator> ::= <optional-space> <separator> <optional-space> <separator> ::= "," | ";" <optional-space> ::= ( <CR> ) *( " " ) <name-component> ::= <attribute> | <attribute> <optional-space> "+" <optional-space> <name-component> <attribute> ::= <string> | <key> <optional-space> "=" <optional-space> <string> <key> ::= 1*( <keychar> ) | "OID." <oid> | "oid." <oid> <keychar> ::= letters, numbers, and space <oid> ::= <digitstring> | <digitstring> "." <oid> <digitstring> ::= 1*<digit> <digit> ::= digits 0-9 <string> ::= *( <stringchar> | <pair> ) | '"' *( <stringchar> | <special> | <pair> ) '"' | "#" <hex> <special> ::= "," | "=" | <CR> | "+" | "<" | ">" | "#" | ";" <pair> ::= "\" ( <special> | "\" | '"') <stringchar> ::= any character except <special> or "\" or '"' <hex> ::= 2*<hexchar> <hexchar> ::= 0-9, a-f, A-FA semicolon (;) character can be used to separate RDNs in a distinguished name, although the comma (,) character is the typical notation.
White-space characters (spaces) might be present on either side of the comma or semicolon. The white-space characters are ignored, and the semicolon is replaced with a comma.
In addition, space (' ' ASCII 32) characters may be present either before or after a '+' or '='. These space characters are ignored when parsing.
A value may be surrounded by double quotation ('"' ACSII 34) characters, which are not part of the value. Inside the quoted value, the following characters can occur without being interpreted as escape characters:
- A space or "#" character occurring at the beginning of the string
- A space character occurring at the end of the string
- One of the characters "'", "=", "+", "\", "<", ">", or ";"
Alternatively, a single character to be escaped may be prefixed by a backslash ('\' ASCII 92). This method can be used to escape any of the characters listed previously and the double quotation marks ('"' ASCII 34) character.
This notation is designed to be convenient for common forms of names. The following example is a distinguished name written using this notation. First is a name containing three components. The first of the components is a multivalued RDN. A multivalued RDN contains more than one attribute:value pair and can be used to distinctly identify a specific entry in cases where a simple CN value might be ambiguous:
OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
DN escaping rules
A DN can contain special characters. These characters are , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and "" (quotation marks).
To escape these special characters or other characters in an attribute value in a DN string, use any the following methods:
- If a character to be escaped is one of special characters, precede it by a backslash ('\' ASCII 92). This example shows a method of escaping a comma in an organization name:
CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GBThis is the preferred method.- Otherwise replace the character to be escaped by a backslash and two hex digits, which form a single byte in the code of the character. The code of the character must be in UTF-8 code set.
CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB- Surround the entire attribute value by "" (quotation marks) (ASCII 34) that are not part of the value. Between the quotation character pair, all characters are taken as is, except for the \ (backslash). The \ (backslash) can be used to escape a backslash (ASCII 92) or quotation marks (ASCII 34), any of the special characters previously mentioned, or hex pairs as in method 2. For example, to escape the quotation marks in cn=xyz"qrs"abc, it becomes cn=xyz\"qrs\"abc or to escape a \:
"we need to escape a single backslash this way \\"Another example, "\Zoo" is illegal, because 'Z' cannot be escaped in this context.On the server end, when a DN is received in this form, the server reformats the DN using escape mechanisms number 1 and 2 for internal processing.
Enhanced DN processing
A composite RDN of a DN may consist of multiple components connected by the '+' operators. The server enhances the support for searches on entries that have such a DN. A composite RDN can be specified in any order as the base for a search operation.
idsldapsearch cn=mike+ou=austin,o=sampleThe server accepts DN normalization extended operations. DN normalization extended operations normalize DNs using the server schema. This extended operation might be useful for applications that use DNs. See the IBM® Tivoli® Directory Server Version 6.1 C-client Programming Reference for more information.
[ Top of Page | Previous Page | Next Page | Contents | Index ]