All data associated with an LDAP entry is contained in the entry’s attributes. For example, the entry whose distinguished name is uid=nat,ou=person,o=quincyfunds.com might have the following attributes:

objectClass: top
objectClass: person
objectClass: organizationalPerson
uid: nat
cn: Natalya Cohen
cn: Nat Cohen
sn: Cohen
givenName: Natalya
givenName: Nat

Many attributes in an LDAP directory can be multi-valued (such as the cn, givenName, and objectClass attributes in the example above).

One interesting point to note is that the attribute values comprising the entry’s distinguished name do not necessarily have to correspond to the attribute values contained in the entry itself. For example, the entry above does not contain an ou attribute or an o attribute, even though the DN implies an ou value of person and an o value of quincyfunds.com. Even more confusing situations are possible (although, of course, not recommended by the directory providers), where the attribute is specified both in the DN and in the entry itself, but the two values differ.

For these kinds of cases, the thing to keep in mind is that the actual directory data is contained in the entry’s attributes. The distinguished name is simply a name that can be used to uniquely identify the entry; it does not represent the actual attribute values. For example, when the directory is searched, it is not searched against the DN, but against the attribute values stored in the entries themselves.

Note however that you do use the DN to access a directory entry directly, without searching. Also, you must specify the DN when you create a new entry.