What is a RDN Distinguished Name? A Complete Guide

December 22, 2025 •

4 min read

In directory services such as LDAP, a full distinguished name (DN) is composed of one or more Relative Distinguished Names (RDNs). An RDN distinguished name is the most specific component of this path, acting as the entry's unique identifier relative to its immediate parent within the directory hierarchy.

Quick Summary

A Relative Distinguished Name (RDN) is a single, unique component of a larger Distinguished Name (DN) used in hierarchical directory services. It is an attribute-value pair that identifies an entry relative to its parent, while the full DN provides the complete path from the entry to the directory's root.

Key Points

Core Component: A Relative Distinguished Name (RDN) is the most specific, leaf-level part of a complete Distinguished Name (DN).
Attribute-Value Pair: An RDN is typically composed of one or more attribute-value pairs, such as cn=John Doe.
Local Uniqueness: An RDN is unique only within the context of its immediate parent entry in the directory tree.
Forms a Path: The full DN is created by concatenating the RDNs from the leaf entry up to the root, separated by commas.
Multi-Valued RDNs: To ensure uniqueness when a single attribute is insufficient, an RDN can combine multiple attribute-value pairs with a plus sign (+).
Application in LDAP/AD: Both LDAP and Active Directory use RDNs as building blocks for DNs to manage and authenticate directory objects like users and groups.

Understanding the Fundamentals of Directory Services

Directory services, such as LDAP (Lightweight Directory Access Protocol) and Active Directory, organize information about users, devices, and other network resources in a hierarchical, tree-like structure. To access or manage any object within this structure, a unique identifier is required. This identifier is the Distinguished Name (DN).

The Core Components: Relative Distinguished Names (RDNs)

The DN is not a single entity but is built from smaller components, much like a file path. Each step in the path is a Relative Distinguished Name (RDN), which identifies an entry uniquely among its siblings (entries at the same level). An RDN consists of at least one attribute-value pair, such as cn=John Doe where cn is the attribute type (common name) and John Doe is its value. For an object to be unique, its RDN must be distinct from any other RDN within the same parent container.

Single-Valued vs. Multi-Valued RDNs

An RDN can be composed of more than one attribute-value pair to guarantee uniqueness, which is known as a multi-valued RDN. This is useful in scenarios where a single attribute might not be unique. For instance, if two users named John Smith exist in the same organizational unit, an RDN could be constructed with a secondary unique attribute, such as a student ID number, to differentiate them.

Single-valued RDN example: cn=Benjamin Gray
Multi-valued RDN example: cn=John Smith+studentNumber=123456

How an RDN Distinguished Name is Structured

To form a complete DN, the RDNs are concatenated, starting with the RDN of the specific entry and moving up the hierarchy towards the root of the directory tree. The components are separated by a comma. The order of RDNs is crucial, as it defines the complete path to the object.

For example, in the DN uid=jdoe,ou=users,dc=example,dc=com, the RDN for the user is uid=jdoe. Its parent is ou=users, and its parent is dc=example,dc=com, which represents the domain component.

Common RDN Attribute Types

cn (Common Name): A general name for an object (e.g., a person's name).
ou (Organizational Unit): A division or department within an organization (e.g., ou=Sales).
dc (Domain Component): A component of an internet domain name (e.g., dc=com).
o (Organization Name): The name of an organization (e.g., o=ExampleCorp).
uid (User ID): A unique identifier for a user.

Comparing RDNs and DNs

To better understand the relationship and distinction, consider the following comparison table:


Feature	Relative Distinguished Name (RDN)	Distinguished Name (DN)
Definition	A single, unique component of a DN that identifies an entry relative to its parent.	The complete, unique identifier that specifies an entry's exact location in the directory tree, from the leaf to the root.
Scope	Unique only within its parent container.	Globally unique throughout the entire directory service.
Function	Provides the specific, 'local' name of an entry.	Provides the absolute path for locating and referencing an entry.
Composition	An attribute-value pair or multiple pairs joined by a plus sign (+).	A comma-separated sequence of RDNs, from the most specific to the least.
Example	`cn=Ben Gray` (for the user)	`cn=Ben Gray,ou=Users,dc=example,dc=com`

RDNs in LDAP and Active Directory

Both LDAP and Active Directory heavily rely on RDNs and DNs for object management. In Active Directory, the RDN is determined by the rDnAttID attribute of an object's class, typically using the cn (Common-Name) attribute. For example, when you create a new user, the user's RDN is based on their common name. The full DN, which includes the RDNs of all parent containers, is the unique locator for that user object within the Active Directory forest. The string representation of DNs and RDNs in LDAP is defined by standards like RFC 2253.

When performing actions like moving or renaming objects, the DN changes, but the RDN (if not being renamed) and other attributes like the object GUID remain consistent, ensuring the object's integrity. For example, moving a user from one organizational unit (ou=Sales) to another (ou=Marketing) will change the user's full DN but not their individual RDN (cn=John Doe).

Practical Use Cases for RDN Distinguished Names

User Authentication: When a user logs into an LDAP-enabled application, their DN, which is built using their RDN (e.g., uid=jdoe), is used to identify them for authentication purposes.
Search Operations: LDAP queries use DNs to specify the starting point (base DN) for a search. This allows administrators to narrow searches to specific branches of the directory tree, such as searching for all users within a particular ou.
Access Control: Access Control Lists (ACLs) can be defined based on DNs, granting or denying permissions to specific entries or subtrees. This allows for granular control over who can access or modify directory resources.

Conclusion

In essence, a RDN distinguished name is the simplest, most local component of a complete Distinguished Name, representing a single node in a directory tree. While the RDN offers local uniqueness within a parent container, the full DN provides the absolute, globally unique path to any object. A solid understanding of RDNs and DNs is fundamental for anyone working with directory services, as it is the basis for locating, identifying, and managing every object within the hierarchical structure. For further technical details, refer to the LDAP.com article on DNs and RDNs.

Frequently Asked Questions

A Relative Distinguished Name (RDN) is a single, local component of a full Distinguished Name (DN). The DN is the complete, unique path to an object from the directory's root, while the RDN is only the unique part relative to the object's parent.

An RDN must be unique to ensure that no two sibling entries within the same parent container share the exact same RDN. For example, within the ou=Sales container, you cannot have two users both with the RDN cn=John Smith.

You can use a multi-valued RDN by combining a non-unique attribute, like cn=John Smith, with a unique one, such as employeeNumber=12345, separated by a plus sign. This creates a unique identifier even for objects with similar names.

Yes, although it is less common, an RDN can consist of multiple attribute-value pairs joined by a plus (+) sign. This is used when a single attribute is not enough to ensure uniqueness among siblings.

The full DN is a comma-separated list of RDNs, starting with the RDN of the specific entry (the leaf) and proceeding up the directory tree towards the root (e.g., cn=John Doe,ou=users,dc=example,dc=com).

When an object is moved to a new parent container, its full DN changes to reflect the new path. However, the object's individual RDN, which is its specific name part, typically remains the same unless the object itself is renamed.

Common attributes used for RDNs include cn (common name), ou (organizational unit), dc (domain component), and uid (user ID).