[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Different CN's for DN and CN.

On Tue, Mar 18, 2003 at 09:22:25AM +1100, Dave Horsfall wrote:

> > It has already been pointed out that you need an attribute 'cn' that
> > has the same value as the 'cn' in the DN. It is worth noting that 'cn'
> > is a multi-valued attribute, so it would be quite OK to do this:
> >
> > dn: cn=myname, ou=people, dc=sws, dc=oldham, dc=uk, dc=net
> > cn: My Name
> > cn: myname
> Is it permissible to have multiple RDNs?  All the instances I've
> seen locally were the result of user error.

There can only be one RDN, though it can have multiple attributes e.g.:

	cn=John Smith + uid=xyzzy27

This can be useful for avoiding name-clash problems.

The example I gave above is where a single-valued RDN is chosen from 
the set of values of a multi-valued attribute. The chosen value
becomes the *distinguished* one, hence the terms 'Distinguished Name'
and 'Relative Distinguished Name'. It is common to use 'cn' to name
personal entries, and it is also common to place several different
forms of name in the 'cn' attribute to make searching easier. This is
particularly valuable where people are known by nicknames, e.g.:

	dn: cn=B S Walker, ou=Cybernetics, o=Reading University, c=GB
	cn: B S Walker
	cn: Brian Stanley Walker
	cn: Paddy Walker
	sn: Walker

The rules about DNs and RDNs go right back to X.500(1988). The summary
is given in section 6.3:

	Every entry has a *distinguished name*, which uniquely and
	unambiguously identifies the entry. These properties of the
	distinguished name are derived from the tree structure of the
	information. The distinguished name of an entry is made up of
	the distinguished name of its superior entry, together with
	specially nominated attribute values (the *distinguished*
	values) from the entry.

Much more detail appears in X.501(1988) section 8. In particular,
8.1(g) defines an RDN as:

	A set of attribute-value assertions, each of which is true,
	concerning the distinguished values of a particular entry.

Referring back to X.501(1988) 7.4.2 we find:

	At most one of the values of an attribute may be designated as
	the *distinguished value*, in which case the attribute value
	appears in the relative distinguished name of the entry.

These structural definitions carried forward into later versions of
X.500 and also into LDAP.

> > # This example is a simple attribute that records what sort of
> > # spam checking is required in the mail system.
> Please tell me more...  I've been looking for something like this
> (I'm less tolerant of spam than my colleagues, for example, and I'm
> happy to take a harder line).

The definitions were extracted from VDM  (Virtual Domain Manager) which
is a web-based mail-system management utility that I wrote last year. It
uses LDAP to store user information, and is based on Exim, OpenLDAP,
Cyrus, Apache, Perl, Gnu Mailman, Mailscanner, and Template Toolkit. VDM
is designed to manage multiple mail domains on a single machine. I plan
to release the code though I have not packaged it yet.

As it happens, individual control of spam filtering is the bit I
have not implemented!

VDM is rather off-topic for this list (apart from the way it uses
OpenLDAP) so if you want further details please contact me directly.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |