Understanding Directory Names: DN vs. RDN
For anyone working with directory services such as Lightweight Directory Access Protocol (LDAP) or Microsoft's Active Directory, navigating the naming conventions is crucial. The terms Distinguished Name (DN) and Relative Distinguished Name (RDN) are foundational concepts that define how objects are located and managed within the directory's hierarchical structure. While often used in the same context, they represent distinct levels of specificity in the directory tree.
What is a Distinguished Name (DN)?
A Distinguished Name, or DN, is a unique identifier that specifies the complete, absolute path to an entry in a directory information tree (DIT). Think of it as the full street address for a house, including the house number, street, city, state, and country. This complete path ensures that every entry—whether it's a user, a group, or a device—can be located unambiguously.
An LDAP DN is constructed by listing the names of all the parent entries, from the specific object all the way up to the root of the directory. These components are separated by commas. For example, the DN for a user named "Jane Doe" in the "Marketing" department of the "example.com" domain might be:
cn=Jane Doe,ou=Marketing,dc=example,dc=com
This DN provides a clear, hierarchical context, showing that the user cn=Jane Doe is located within the organizational unit ou=Marketing, which in turn is part of the domain components dc=example and dc=com.
What is a Relative Distinguished Name (RDN)?
In contrast, a Relative Distinguished Name, or RDN, is a single component of a DN. It is the unique identifier of an entry relative to its parent. Continuing the street address analogy, an RDN is like the house number on a specific street. While several houses might have the same number, they are only unique on their respective streets. Similarly, an RDN must be unique only within its parent container.
An RDN is typically composed of one or more attribute=value pairs. In our example DN above, the RDN for the user is cn=Jane Doe. This specific RDN is only unique within the ou=Marketing container. Another cn=Jane Doe could exist in a different organizational unit, like ou=Sales, as long as its full DN is different.
RDNs can also contain multiple attribute-value pairs, separated by a plus sign (+). This is useful in scenarios where a single attribute might not be unique enough within a container. A multivalued RDN might look like cn=John Smith+studentNumber=123456, ensuring uniqueness in a large university directory.
DN vs. RDN Comparison Table
| Feature | Distinguished Name (DN) | Relative Distinguished Name (RDN) |
|---|---|---|
| Purpose | Uniquely identifies an entry within the entire directory tree. | Uniquely identifies an entry relative to its immediate parent. |
| Scope | Global (entire directory). | Local (within its parent container). |
| Composition | A full path of comma-separated RDNs. | A single attribute-value pair or multiple pairs separated by a plus sign. |
| Example | cn=Jane Doe,ou=Marketing,dc=example,dc=com |
cn=Jane Doe |
| Uniqueness | Must be unique throughout the entire directory. | Must be unique only within its parent container. |
| Analogy | A complete file path like /home/user/document.txt |
The filename document.txt |
How DNs and RDNs Work Together
The relationship between a DN and RDN is foundational to how directory services operate. A DN is built from a sequence of RDNs, with the most specific RDN (that of the entry itself) listed first, followed by the RDN of its parent, and so on, up to the root. For instance, starting with the RDN cn=Jane Doe, you append the parent's RDN ou=Marketing to form cn=Jane Doe,ou=Marketing. You then append the next parent's RDNs dc=example,dc=com to form the full DN. This hierarchical construction allows for efficient lookups and management of directory entries.
For example, when an LDAP client authenticates, it might use the user's full DN and password to bind to the directory server. Similarly, when performing a search operation, a DN can be used as a search base to specify where the query should begin, restricting the scope of the search to a specific subtree.
Importance in Directory Management
The clear distinction between DN and RDN is vital for several directory management tasks:
- Moving an object: When an entry is moved to a different container, its RDN may not change, but its full DN will, as the path to its parent has been altered. For example, moving a user from
ou=Marketingtoou=Saleswould change their DN fromcn=Jane Doe,ou=Marketing,...tocn=Jane Doe,ou=Sales,.... - Renaming an object: If you rename an object, such as changing a user's common name (
cn), you are effectively changing the object's RDN. This automatically results in a new DN for the object, even if its position in the hierarchy remains the same. - Performance: Understanding the hierarchy represented by a DN helps in optimizing search queries. By providing a specific DN as a base, administrators can reduce the scope of a search and improve performance.
Conclusion
The difference between a Distinguished Name (DN) and a Relative Distinguished Name (RDN) is a matter of scope and hierarchy. The DN provides the complete, unambiguous path to an entry from the directory root, guaranteeing its uniqueness. The RDN, conversely, is a single, relative component of that DN, uniquely identifying the entry within its immediate parent container. By understanding this core relationship, IT professionals can more effectively manage, locate, and manipulate objects within directory services like LDAP and Active Directory. The DN is the full address, while the RDN is the name at the door.
For further reading, the comprehensive guide on LDAP DNs and RDNs from LDAP.com is an excellent resource.
