All data associated with an LDAP entry is contained in the entry’s attributes. For example, the entry whose distinguished name is uid=nat,ou=person,o=company.com
might have the following attributes:
objectClass: top objectClass: person objectClass: organizationalPerson uid: nat cn: Natalya Cohen cn: Nat Cohen sn: Cohen givenName: Natalya givenName: Nat
Many attributes in an LDAP directory can be multi-valued (such as the cn
, givenName
, and objectClass
attributes in the example above).
One interesting point to note is that the attribute values comprising the entry’s distinguished name do not necessarily have to correspond to the attribute values contained in the entry itself. For example, the entry above does not contain an ou
attribute or an o
attribute, even though the DN implies an ou
value of person
and an o
value of company.com
. Even more confusing situations are possible (although, of course, not recommended by the directory providers), where the attribute is specified both in the DN and in the entry itself, but the two values differ.
For these kinds of cases, the thing to keep in mind is that the actual directory data is contained in the entry’s attributes. The distinguished name is simply a name that can be used to uniquely identify the entry; it does not represent the actual attribute values. For example, when the directory is searched, it is not searched against the DN, but against the attribute values stored in the entries themselves.
Note however that you do use the DN to access a directory entry directly, without searching. Also, you must specify the DN when you create a new entry.