Directory Services

Distinguished Names

The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.

An RDN is an attribute with an associated value in the form attribute=value; normally expressed in a UTF-8 string format. The following table lists typical RDN attribute types.

String	Attribute Type
DC	domainComponent
CN	commonName
OU	organizationalUnitName
O	organizationName
STREET	streetAddress
L	localityName
ST	stateOrProvinceName
C	countryName
UID	userid

The following are examples of distinguished names.

CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM

CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM

The following table lists reserved characters that cannot be used in an attribute value.

Character	Description
	space or # character at the start of a string
	space character at the end of a string
,	comma
+	plus sign
"	double quote
\	backslash
<	left angle bracket
>	right angle bracket
;	semicolon

If a reserved character is part of an attribute value, it must be escaped by prefixing it with a backslash (\) in the attribute string. If an attribute value contains other reserved characters, such as the equals sign (=) or non-UTF-8 characters, it must be encoded in hexadecimal by replacing the character with a backslash followed by two hex digits.

The following are examples of some distinguished names that include escaped characters. The first example is an organizational unit name with an embedded comma; the second example is a value containing a carriage return.

CN=Litware,OU=Docs\, Adatum,DC=Fabrikam,DC=COM

CN=Before\0DAfter,OU=Test,DC=North America,DC=Fabrikam,DC=COM