You must understand the following concepts in order to work with the LDAP Access Service:
Directory Tree
Data in an LDAP directory service is arranged in tree structures. Each node in a tree represents a data entry that has attributes describing it. These trees are referred to collectively as the Directory Information Tree (DIT).
Name-Value Pair
A name-value pair is a combination of a name, and one or more values. A defined character separates multiple values in a name-value pair, which is most often a comma. The following is an example:
o=XYZ Corp
telephoneNumber=1-800-787-2218,1-212-402-3390
Distinguished Name (DN)
A Distinguished Name is used in LDAP to identify data entries in the Directory Information Tree. A Distinguished Name is composed of name-value pairs. Name-value pairs in a DN may only have one value. Commas separate each name-value pair in a DN. The following is an example of an LDAP name: cn=John Doe,ou=Finance,o=XYZ Corp,c=US
Each name-value pair can be said to represent a hierarchical node in the DIT. The hierarchy begins at the right and continues to the left, so that in the example above, the first node is c=US, then o=XYZ Corp, and so on. Basically, a data entry in a DIT is identified uniquely by combining its own name-value pair with the name-value pair of its parent entries, in an ascending hierarchy, from left to right.
Suffix
A suffix in an LDAP directory is composed by combining the name-value pairs of one or more hierarchical entries in the DIT, starting at the root. In other words, a suffix is composed of the name-value pair of the root of the DIT and the name-value pairs for zero or more entries below it. Using the example given for a DN above, the following could be some suffixes:
ou=Finance,o=XYZ Corp,c=US
o=XYZ Corp,c=US
Root Suffix
An LDAP DIT may have one or more roots, from which all other entries are defined. Roots in a DIT are identified by the root suffix. The root suffix is composed of name-value pairs that define the name of the root. The following is an example of a root suffix:
o=XYZ Corp,c=US
Unlike for distinguished names, the name-value pairs in a root suffix do not correspond to actual directory entries; in other words a root suffix cannot be broken down into sub-entries. An administrator would be responsible for creating root suffixes in a LDAP directory, and would define the whole suffix at once, for example as o=XYZ Corp,c=US, instead of first defining the entry c=US, then another one underneath it called o=XYZ Corp.
Relative Distinguished Name (RDN)
Each distinguished name in LDAP is composed relative to a suffix (defined above). The name obtained by dropping the suffix is termed the relative distinguished name. So for the DN and root suffix declared above, the following would be the RDN:
cn=John Doe,ou=Finance
Attribute
Data entries in an LDAP directory have attributes that describe them. An attribute is defined using a name-value pair. The name and values in an attribute name-value pair are separated using a ':' instead of an '=' sign. The following is an example of an attribute: