Re: How unique must Distinguished Names be?

Eric Rosenquist (
Thu, 1 Aug 1996 10:53:17 -0400

On 1 Aug 96 at 15:26, Ed Oskiewicz wrote:

> I am designing an internal LDAP-based directory using information extracted
> from a master internal contact database. I am confused about whether DNs
> must be ambiguous, let me explain with an example.
> My instinct is to create the directory using entries like
> dn: cn=J Soap, o=BT plc, c=gb
> <lots of other attributes>
> The problem is that Names and initials are not unique (we employ 130K people
> and have lots of clashes). Assuming that entries were always distinct what
> (if anything) would slapd do if I added an entry with an existing DN
> (refuse, create a new entry, overwrite the existing one).
> I am proceeding on the assumption that I must disambiguate the DN by
> introducing extra attributes, e.g:
> dn: uid=<unique code>, cn=J Soap, o=BT plc, c=gb
> The trouble is that this makes DNs ugly and I hate it, is there a better
> way?

The DN components have to be unique wrt all their peers at each level,
i.e., each RDN must be unique. If you try to add a DN that already exists
you will get an LDAP_ALREADY_EXISTS error back from LDAP. Changing an
entry requires using the modify operation (to change an entry's
attributes) or modifyRDN (to change the leaf portion of an entry's DN), so
the server can distinguish between an add operation and modify operations
and prevents you from adding something that already exists.

Large organizations are often forced to use multi-valued RDNs to make
all of their names unique; often an employee number of something similar
is used:

cn=J Soap + serialNumber=1234, o=BT plc, c=GB

In a case such as the above, the leaf RDN contains two distinguished
attributes instead of one. You could probably get away with just an
employee number and leave the commonName out of the RDN, but that makes
for unfriendly (to humans) DNs. If you want to avoid multi-valued RDNs
then you can cheat and embed the unique code in the commonName:

cn=J Soap (1234), o=BT plc, c=GB

For searching purposes the entry should contain the normal commonName
(and possibly other variations) as an attribute: ex. "cn=J Soap", "cn=John
Soap", "cn=John Q. Soap". You're allowed to have multiple values for most
attributes, so if you must, you can have the "real" value as an attribute
and the disambiguated value as the RDN.

Eric Rosenquist, Strata Software Limited
Email: Tel: 613-591-1922 Fax: 613-591-3485
Quote: God bless those pagans.
-- Homer Simpson