LDAP for Rocket Scientists

LDAP DIT - LDAP Directory Information Tree

LDAP DNs and RDNs

• DN - distinguished name - full path of the object in the tree. Uniquely identifies an entry and describes its position. I.e “uid=john.doe,ou=People,dc=example,dc=com”
  • DNs are comprised of zero or more comma-separated components called relative distinguished names, or RDNs.
  • For example, the DN “uid=john.doe,ou=People,dc=example,dc=com” has four RDNs:
    • uid=john.doe
    • ou=People
    • dc=example
    • dc=com
  • DNs are case insensitive)
• RDN - is relative to its parent

Example DNs:

• “uid=john.doe,ou=People,dc=example,dc=com”
• “cn=John Doe+telephoneNumber=+1 123-456-7890” - to distinguish between more people named “John Doe”
• ”“ - empty is also valid - NULL DN references special entry called root DSE (server data)
• ““dc=example,dc=com”
• “dc=com” - the DN of top entry is a “naming context” or “suffix”

The same DN:

• dc=example,dc=com
• dc=example, dc=com
• dc = example , dc = com
• DC=EXAMPLE,DC=COM
• 0.9.2342.19200300.100.1.25=Example,0.9.2342.19200300.100.1.25=Com

• dc - domain component dc=company,dc=org (domain is company.org)
• ou - organization unit (ou=
• cn - common name (i.e. “John Smith”)
• displayName - one line summary (for people can be the same as cn)

Are predefined containers for attributes. For example OpenLDAP's “Generic: User Account” assigns “inetOrgPerson” class.

• inetOrgPerson
  • cn, sn - as required attributes
  • lots of optional attributes like: “photo”, “displayName”, “uid”, “postalCode”, “telephoneNumber”

And container classes:

• cn,sn (inetOrgPerson)
• mail=rfc822Mailbox (inetOrgPerson)
• uid=userid (inetOrgPerson)
• userPassword (person, posixAccount, simpleSecurityObject)
  • hash: SSHA
• displayName (inetOrgPerson)

• Unique name for each entry
  • cn collisions. Two people may have the same first and last name. Grouping under different parent is necessary (ou).
  • user can belong only to one ou.
• Stability of structure, but people can change:
  • names - Do not rename entries, use some unique id like serial number. I.e. “uid=00003,ou=People, dc=example, dc=com”.
  • position - departments - do not put users under specific departments (deep tree), better is to put it into one group and then use a attribute

to structurize and group users.

• security - separate some information by grouping it under another ou

http://www.ldapman.org/articles/tree_design.html

• dc=company,dc=org
  • ou=people
    • uid=jdoe
      • cn=John Doe
      • cn=Johny
      • sn=Doe
      • mail=john.doe@company.org
      • mail=j.doe@company.org
    • uid=jblack
      • cn=Joe Black
      • sn=Black
      • ou=software
  • ou=software
  • ou=customers
    • cn=Google
    • cn=Wurth
  • ou=devices
  • ou=it
    • uid=nextcloudsystemuser,cn=nextcloudsystemuser,userPassword=…
    • root,www ,etc
  • ou=location
    • conference rooms location and phones, company address, etc