NetIQ Documentation: NetIQ Cloud Manager 2.1.5 Orchestration Administrator Reference

4.2 Understanding LDAP Structure

An LDAP directory is usually structured hierarchically as a tree of nodes (the LDAP directory tree is sometimes referred to as the Directory Information Tree, or DIT). Each node represents a record, or “entry” in the LDAP database.

This section includes the following information:

4.2.1 The Distinguished Name

An LDAP entry consists of numerous attribute-value pairs. It is uniquely identified by what is known as a “distinguished name” (DN).

To draw a parallel with a relational database management system (RDBMS), an LDAP entry is analogous to a record, its attributes are the fields of that record, and a DN is a primary key that uniquely identifies each record.

Consider the following example of an LDAP entry:

dn: mail=joe@novell.com, dc=novell, dc=com
objectclass: inetOrgPerson
cn: Joe
sn: Somebody
mail: joe@novell.com
telephoneNumber: 1 234 567 8912

This is an entry for a single person, Joe Somebody, who works at Novell. The components of the entry – name, email address, telephone number – are split into attribute-value pairs, with the entire record identified by a unique DN (the first line of the entry). Some of these attributes are required and some are optional, depending on the object class being used for the entry; however, the entire set of data constitutes a single entry, or node, on the LDAP directory tree.

4.2.2 The Relative Distinguished Name

Every entry in the directory tree has a “relative distinguished name” (RDN) consisting of one or more attribute-value pairs. An RDN must be unique at that level in the directory hierarchy. In the example above, for instance, the following are all valid RDNs for the entry:

cn=Joe

cn=Joe+sn=Somebody

cn=Joe+sn=Somebody+telephoneNumber=12345678912

mail=joe@novell.com

There are no set rules regarding which attributes of a particular entry should be used for the RDN; the LDAP model leaves this decision to the directory designer, specifying only that the RDN of an entry must be such that it can uniquely identify that entry at that level in the DIT.

Because RDNs exist for every entry in the tree, the DN for any entry is formed by sequentially appending the RDNs of all the nodes between that entry and the root entry. In this way, you can use the DN to easily locate any node in the directory tree, regardless of its location or depth in the hierarchy.

For example, consider the following LDAP directory:

Figure 4-1 Sample LDAP Directory

To identify the node belonging to Joe Somebody (the DN for Joe Somebody’s entry) you would add all the RDNs between that entry and the root of the tree:

uid=joe,ou=Worker Bees,o=Novell,c=IN

In a similar manner, the DN for the node belonging to Sarah would be

uid=sarah,ou=Executives,o=Novell,c=IN

while the DN for the Novell node would be

o=Novell,c=IN

Because LDAP entries are arranged in a hierarchical tree, and because each node on the tree can be uniquely identified by a DN, the LDAP model lends itself to sophisticated queries and powerful search filters.