RE: How unique must Distinguished Names be?

Steve Harris (
Thu, 1 Aug 1996 20:31:24 +-100

Others have already mentioned the idea of a unique ID added to the CN, and
also the idea of splitting names into OUs, e.g. CN=J.Soap, OU=Research,
O=BT Plc, C=gb, or whatever.

However, what about using multi-value common names. I.e., you set the DIT
up to use a CN of an employeed id, and a CN of a user name, e.g

CN=Joe Soap
O=BT Plc

I believe that the LDAP client has to be more sophisticated to cope with such
a search. Certainly, some clients would only resolve if you searched for
"CN=1234,O=...". A better one would cope with a UFN of either 1234 or Joe...

I don't know whether you could configure your DIT this way. Our QUIPU DSA
copes with this admirably however.

Hope this helps,

Steve Harris
Boldon James Limited


From: Ed Oskiewicz[]
Sent: 01 August 1996 15:26
Subject: How unique must Distinguished Names be?

I am designing an internal LDAP-based directory using information extracted
from a master internal contact database. I am confused about whether DNs
must be ambiguous, let me explain with an example.

My instinct is to create the directory using entries like

dn: cn=J Soap, o=BT plc, c=gb
<lots of other attributes>

The problem is that Names and initials are not unique (we employ 130K people
and have lots of clashes). Assuming that entries were always distinct what
(if anything) would slapd do if I added an entry with an existing DN
(refuse, create a new entry, overwrite the existing one).

I am proceeding on the assumption that I must disambiguate the DN by
introducing extra attributes, e.g:

dn: uid=<unique code>, cn=J Soap, o=BT plc, c=gb

The trouble is that this makes DNs ugly and I hate it, is there a better


Ed Oskiewicz

      B54/76, BT Labs, Martlesham Heath, Ipswich, Suffolk, UK, IP5 7RE,
		  Tel +44 1473 640896, Fax +44 1473 640929