LDAP directory data is organized into entries, similar to the entries for words in the dictionary, or for subscriber names in the phone book. A sample entry follows.
dn: uid=bjensen,ou=People,dc=example,dc=com uid: bjensen cn: Babs Jensen cn: Barbara Jensen facsimileTelephoneNumber: +1 408 555 1992 gidNumber: 1000 givenName: Barbara homeDirectory: /home/bjensen l: Cupertino mail: bjensen@example.com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: top ou: People ou: Product Development roomNumber: 0209 sn: Jensen telephoneNumber: +1 408 555 1862 uidNumber: 1076
Barbara Jensen's entry has a number of attributes, such as
uid: bjensen
,
telephoneNumber: +1 408 555 1862
, and
objectClass: posixAccount
[1]. When you look up her entry
in the directory, you specify one or more attributes and values to match
in the entries that come back as the result of your search. Typically the
attributes you search for are indexed in the directory, so the directory
server can retrieve them more quickly.[2]
The entry also has a unique identifier, shown at the top of the entry,
dn: uid=bjensen,ou=People,dc=example,dc=com
. DN stands
for distinguished name. No two entries in the directory have the same
distinguished name.[3]
LDAP entries are arranged hierarchically in the directory. The
hierarchical organization resembles a file system on a PC or a web server,
often imagined as an upside-down tree structure, looking similar to a
pyramid.[4]The distinguished name consists of components
separated by commas,
uid=bjensen,ou=People,dc=example,dc=com
. Those components
reflect the hierarchy of directory entries.
Barbara Jensen's entry is located under an entry with DN
ou=People,dc=example,dc=com
, an organization unit and
parent entry for the people at Example.com. The
ou=People
entry is located under the entry with DN
dc=example,dc=com
, the root entry for Example.com.
DC stands for domain component. The directory has other root entries, such
as cn=config
, under which the configuration is accessible
through LDAP, and potentially others such as
dc=mycompany,dc=com
or o=myOrganization
.
Thus when you look up entries, you specify the parent entry to look under
in the same way you need to know whether to look in the New York, Paris,
or Tokyo phone book to find a telephone number.[5]
[1] The
objectClass
attribute type indicates which types of
attributes are allowed and optional for the entry. As the entries object
classes can be updated online, and even the definitions of object classes
and attributes are expressed as entries that can be updated online, directory
data is extensible on the fly.
[2] Attribute values do not have to be strings. The directory can use base64 encoding, however, to make binary attribute values, such as passwords, certificates, or photos, portable in text format.
[3] Sometimes your distinguished names include characters that you must escape. The following example shows an entry that includes escaped characters in the DN.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)" dn: cn=\" # \+ \, \; \< = \> \\ DN Escape Characters,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: " # + , ; < = > \ uid: escape cn: " # + , ; < = > \ DN Escape Characters sn: DN Escape Characters mail: escape@example.com
[4] Hence pyramid icons are associated with directory servers.
[5] The root entry for the directory, technically the entry with DN
""
(the empty string), is called the root DSE, and
contains information about what the server supports, including the other
root entries it serves.