An LDAP directory is organized into a tree of directory entries. Each directory entry is uniquely identified by its distinguished name (DN). The root point of the tree is represented by a special entry whose DN is called the directory suffix.

For example, a company directory for Quincy Funds might have a directory suffix of o=quincyfunds.com. Branching off the tree root, there may be entries for the various departments within the organization, such as ou=Finance,o=quincyfunds.com, ou=Marketing,o=quincyfunds.com, and so on. Under the organizational unit subtrees, there might be entries representing individual people, for example, uid=nat,ou=Finance,o=quincyfunds.com.

As you can see above, a DN consists of a series of comma-separated attribute name/value pairs. The hierarchy is represented right-to-left in a DN, with the right-most pair indicating the top of the hierarchy. For example, ou=Finance,o=quincyfunds.com is a child of o=quincyfunds.com. The left-most attribute name/value pair is called a relative distinguished name (RDN).

The examples in this section demonstrate some standard attribute names, such as:

These standard attribute names are inherited from the X.500 standard, which preceded LDAP. Their use is not required, but is a good convention to follow when possible. Note that you can also define an organization like this:

dc=quincyfunds,dc=com

The directory tree may be highly branched, with the entire organizational hierarchy reflected in the tree structure, or it may be almost flat, depending on the needs of the organization. An example of an almost flat directory structure is one where all the people entries reside under the same organizational unit entry, such as ou=person,o=quincyfunds.com. There may also be organizational unit entries for storing other types of information, for example, ou=Groups,o=quincyfunds.com, ou=Customers,o=quincyfunds.com, ou=Devices,o=quincyfunds.com, and so on.

A directory may have more than one directory suffix. This typically comes into play with very large directories which are spread across multiple machines, extranets, and ISPs. For example, an ISP whose directory service needs to support multiple enterprises might have a separate directory suffix for each of the enterprises.