9

I'm reading two (link1, link2) articles on LDAP and they make mention of Relative Distinguished Name (RDN), Distinguished Name (DN) and CN which is supposed to be the same thing as an RDN.

I understand an RDN to be a key in a key-values pair for a node in an LDAP directed graph, but the author doesn't say much about what these terms mean...

leeand00
  • 4,919

1 Answers1

21

I can recommend LDAP for rocket scientists, very nice and thorough intro to the protocol

To answer your question:

  • distinguishedname: full path of the object in the tree. So if the ldap server has a base of dc=domain,dc=tld and the object is in the container ou=users, then the dn could be cn=object,ou=users,dc=domain,dc=tld

  • rdn is in the example cn=object, because it is relative to ou=users,dc=domain,dc=tld.

If the object was in ou=otherusers,dc=domain,dc=tld, then the rdn would still be cn=object, but then it would have a different dn: cn=object,ou=otherusers,dc=domain,dc=tld.

So the rdn is relative to its parent.

And the common name cn is just an attribute. Sometimes the cn and the rdn have the same value. Other times, the rdn is uid=user (instead of cn=user), like most unix ldap servers do. So the dn would then be uid=user,ou=users,dc=domain,dc=tld. And that object could have a cn attribute as well to make it even fuzzier.

The differences have to do on what kind of object is being referenced, because every type of object has a different set of objectclasses that define what attributes it may (or may not) have.

The book is free to read, by the way.

natxo asenjo
  • 5,819
  • FYU cn is "common name", not "canonical name". – Sam Morris Jun 27 '23 at 13:15
  • fyi, I assume. FYU could be easily mistaken for something else ;-). In AD is canical name the convention, in other ldap directories is indeed common name an option. In my experience, canonical name is more usual in most professional environments. – natxo asenjo Jun 27 '23 at 20:07
  • 1
    Whoops, that's an unfortunate typo sorry about that! Anyway. The AD documentation says that cn is the LDAP projection of AD's Common-Name attribute: https://learn.microsoft.com/en-us/windows/win32/adschema/a-cn; this aligns with the standard LDAP schema defined in RFC 4519: https://datatracker.ietf.org/doc/html/rfc4519#section-2.3 – Sam Morris Jun 28 '23 at 10:03
  • 1
    There is a Canonical-Name (constructed) attribute in AD, btw, but it is projected to LDAP as canonicalName: https://learn.microsoft.com/en-us/windows/win32/adschema/a-canonicalname – Sam Morris Jun 28 '23 at 10:39
  • ok, you convinced me, I modified the answer. Thanks! – natxo asenjo Jun 28 '23 at 18:40