What are CN, OU, DC in an LDAP search?

In LDAP (Lightweight Directory Access Protocol), various attributes are used to represent different elements of the directory information tree (DIT). Three commonly used attributes are CN (Common Name), OU (Organizational Unit), and DC (Domain Component). These attributes help in organizing and querying directory data effectively. Here’s what each of them represents:

1. CN (Common Name)

  • Description: The CN attribute stands for Common Name. It is typically used to represent the name of an object within the directory. This could be a person, a device, or any other object that can be uniquely identified within a given context.
  • Usage: It is often used in the context of individual user accounts, contacts, or other directory objects.
  • Example:
    • For a user: CN=John Doe
    • For a server: CN=Server1

2. OU (Organizational Unit)

  • Description: The OU attribute stands for Organizational Unit. It is used to represent a subdivision within the organization, such as departments, teams, or other logical groupings of objects. Organizational Units help in structuring the directory in a hierarchical manner.
  • Usage: OU is used to group related objects together, which can simplify management and access control.
  • Example:
    • OU=Sales
    • OU=Engineering

3. DC (Domain Component)

  • Description: The DC attribute stands for Domain Component. It represents components of the DNS domain name of the directory. Multiple DC attributes are used to represent the complete domain hierarchy.
  • Usage: It is used to construct the base distinguished name (DN) of the directory entries, which defines the namespace of the LDAP directory.
  • Example:
    • For the domain example.com: DC=example, DC=com
    • For the subdomain sales.example.com: DC=sales, DC=example, DC=com

Combining CN, OU, and DC in LDAP DNs

When performing an LDAP search, these attributes are often combined to form a Distinguished Name (DN), which uniquely identifies an entry within the directory. A DN is a sequence of relative distinguished names (RDNs) connected by commas, where each RDN is a set of attribute-value pairs.

Example of a Distinguished Name (DN):

CN=John Doe, OU=Sales, DC=example, DC=com

This DN represents a user named John Doe within the Sales organizational unit of the example.com domain.

How to Use These Attributes in an LDAP Search

When performing an LDAP search, you might specify a base DN and a filter. The base DN defines the starting point of the search, and the filter specifies the criteria for selecting entries.

Example LDAP Search:

Suppose you want to find all entries under the Sales organizational unit within example.com.

  • Base DN: OU=Sales, DC=example, DC=com
  • Filter: (objectClass=*)

This search will retrieve all objects within the Sales organizational unit of the example.com domain.

Practical Example Using an LDAP Search Tool:

ldapsearch -x -b "OU=Sales, DC=example, DC=com" "(objectClass=*)"

This command uses the ldapsearch tool to search for all entries ((objectClass=*)) under the specified base DN (OU=Sales, DC=example, DC=com).

By understanding and using these attributes effectively, you can efficiently navigate and manage entries within an LDAP directory.