Re: LDAP data model - restrictions on RDN's

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Content rules and naming restrictions are optional in LDAPv3...

At 05:17 PM 12/28/00 -0500, Dan Weinreb wrote:
>I was wondering if someone could help me with a question about LDAP.
>I'm trying to understand LDAP's data model.  I've read two books on
>LDAP ("Implementing LDAP" and "Understanding and Deplying LDAP
>Directory Services") and I've looked at the RFC's on LDAP v3, and I
>can't find the answer.
>
>This much I understand: Every LDAP entry has a Relative Distinguished
>Name.  The RDN of an entry is always of the form "att=val" where att
>is the name of an attribute, and the entry has an attribute named
>"att", and one of the values of the attribute is "val".  Please
>correct me if this isn't right.
>
>I was surprised to find that nowhere in the LDAP schema does it say
>anything about which attributes can or should or must be used to form
>the RDN.  (I gather X.500 has something called a "name form" which
>looks as if it might be relevant, but that concept does not seem to be
>in LDAP.)  When you create a new LDAP entry, can you select any
>attribute (and any value of that attribute) of the entry to form the
>RDN?
>
>For example, could there be an entry of objectClass 'person' whose RDN
>was "sn=foo" and another entry of objectClass 'person' whose RDN was
>"cn=foo", both in the same LDAP database?  How about if both have the
>same DN other than the first RDN, i.e. they are siblings in the DIT?
>
>(I certainly realize why this is a bad idea and I'm not particularly
>contemplating doing it; I just want to understand the LDAP data
>model.)
>
>For that matter, if you have a set of "sibling" entries, need they
>have anything in common *beyond* having the same DN other than the
>first RDN?  Can they be of unrelated objectClasses?
>
>Thanks very much!
>
>Dan Weinreb
>Software Architect and co-founder
>eXcelon Corp.
>dlw@exceloncorp.com