Re: Multi-valued RDNs: what are the options?

Jochen Keutel (
Wed, 21 Aug 1996 14:15:04 +0200 (MESZ)


> I believe the following to be true: In all three cases queries of the form
> cn=*soap* would return the same results (because you query the entry not the
> dn). Is this correct?

Yes - as far as you store CN as an attribute of the DN.

> If dns are never displayed, then the third form would seem to be preferable
> because it is most compact.

Yes. It depends on your client whether it displays the DN or not.

I don't know how the situation is in Great Britain: Germany has
strong data protection laws. Some companies don't allow to make
employee id numbers visible to other employees - i.e. because
these numbers are sometimes constructed with birthday of the employee, ...

If you are allowed to use these unique numbers you are in a better
situation than I am. It's always the same question: What makes an
employee unique in a company? Department, surname and given name are
not sufficient.

> Is the second form of multi-valued RDN actually part of some standard? If so
> where is it documented and what is the advantage over simple concatenation
> as in the first form?.

It's documented both in X.500 (88: X.501, chapter 8.2; 93: X.501, chapter 9.2)
and LDAP (RFC 1779).
X.500 defines a DN as sequence of RDN; each RDN is a set of AVA
(Attribute Value Assertion).
LDAP has a similar definition.


Dr. Jochen Keutel currently at: Deutsche Telekom
duerr com-soft IZ Darmstadt

Phone: +49 6151 818 579

X.400 : /C=de/A=dbp/P=telekom400/O=dmst03/OU1=08/S=osys-02