1.2. Data In LDAP Directories

LDAP directory data is organized into entries, similar to the entries for words in the dictionary, or for subscriber names in the phone book. A sample entry follows.

dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
cn: Babs Jensen
cn: Barbara Jensen
facsimileTelephoneNumber: +1 408 555 1992
gidNumber: 1000
givenName: Barbara
homeDirectory: /home/bjensen
l: Cupertino
mail: bjensen@example.com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
ou: People
ou: Product Development
roomNumber: 0209
sn: Jensen
telephoneNumber: +1 408 555 1862
uidNumber: 1076

Barbara Jensen's entry has a number of attributes, such as uid: bjensen, telephoneNumber: +1 408 555 1862, and objectClass: posixAccount[1]. When you look up her entry in the directory, you specify one or more attributes and values to match in the entries that come back as the result of your search. Typically the attributes you search for are indexed in the directory, so the directory server can retrieve them more quickly.[2]

The entry also has a unique identifier, shown at the top of the entry, dn: uid=bjensen,ou=People,dc=example,dc=com. DN stands for distinguished name. No two entries in the directory have the same distinguished name.[3]

LDAP entries are arranged hierarchically in the directory. The hierarchical organization resembles a file system on a PC or a web server, often imagined as an upside-down tree structure, looking similar to a pyramid.[4]The distinguished name consists of components separated by commas, uid=bjensen,ou=People,dc=example,dc=com. Those components reflect the hierarchy of directory entries.

Directory data hierarchy as seen in OpenDJ Control Panel.

Barbara Jensen's entry is located under an entry with DN ou=People,dc=example,dc=com, an organization unit and parent entry for the people at Example.com. The ou=People entry is located under the entry with DN dc=example,dc=com, the root entry for Example.com. DC stands for domain component. The directory has other root entries, such as cn=config, under which the configuration is accessible through LDAP, and potentially others such as dc=mycompany,dc=com or o=myOrganization. Thus when you look up entries, you specify the parent entry to look under in the same way you need to know whether to look in the New York, Paris, or Tokyo phone book to find a telephone number.[5]



[1] The objectClass attribute type indicates which types of attributes are allowed and optional for the entry. As the entries object classes can be updated online, and even the definitions of object classes and attributes are expressed as entries that can be updated online, directory data is extensible on the fly.

[2] Attribute values do not have to be strings. The directory can use base64 encoding, however, to make binary attribute values, such as passwords, certificates, or photos, portable in text format.

[3] Sometimes your distinguished names include characters that you must escape. The following example shows an entry that includes escaped characters in the DN.

$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)"
dn: cn=\" # \+ \, \; \< = \> \\ DN Escape Characters,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: " # + , ; < = > \
uid: escape
cn: " # + , ; < = > \ DN Escape Characters
sn: DN Escape Characters
mail: escape@example.com

[4] Hence pyramid icons are associated with directory servers.

[5] The root entry for the directory, technically the entry with DN "" (the empty string), is called the root DSE, and contains information about what the server supports, including the other root entries it serves.