What do people use for CN with inetOrgPerson in LDAP directories

ldap openldap schema-design
user207421 picture user207421 · Oct 19, 2011 · Viewed 7.1k times · Source

I've been using givenName+" "+surname for the CN field and I woke up screaming last night 'what about John Smith'? I can imagine any large organization employing multiple people with the same name. So of course this isn't going to work. What do people use instead?

EDIT Note: in inetOrgPerson the CN is part of the DN.

EDIT Note: in this situation I am expecting to grow to hundreds of thousands of user entries.

Answer

JPBlanc picture JPBlanc · Oct 19, 2011

In a LDAP Directory, whatever if it's OpenLDAP or Active-Directory, a rule is that a DistinguishName (DN) must be unique, independently of the attribute (or the attributes) used to constitute the Relative Distinguish Name (RDN).

How do people make sure that it's unique :

  1. I would say that in a small business the guy who creates the entry in the directory guarantee that it's unique, first by knowledge, second by preliminary search. If a duplicate appears he finds some solutions like 'John E Smith'. Using this solution if the name changes (marriage, divorce etc.), the LDAP record has to "move" from one DN to another. It's better to avoid changing the DN of an entry whenever possible, but in a small directory it's not important.

  2. In a medium business the uniqueness is most of the time given by the employee ID coming from human resources. For example FR12345678. I saw, in big companies, people logging in with their employee ID. For the thing I describe here, it's more standart to use the uid attribute to name an object in spite of cn (but some directories don't let you choise of the naming attribute, I think it's a X500 feature).

  3. In most directories (not in AD) you can use more than one attribute to compose the RDN. For example sn=Assin+TelephoneNumber=1234 is a valid RDN in an openLDAP and it can make sense in a PBX. One more thing

In some directories (designed for system administration) some attributes are tested by the server side as unique all over the tree. That's the case of sAMAccountName or userPrincipalName in Active-Directory and they are used for loging purpose. Using the CN attribute with "given-Name Name" oblige the administrators to guarantee uniqueness. You can use unique attribute in OpenLDAP for that in the database definition in slapd.conf, add :

# index since the unique overlay will search for matching mail attributes
index mail eq

overlay unique
unique_attributes mail

If unique overlay is not compiled in, you'll need to recompile with :

./configure ... --enable-unique

Related questions

Querying Windows Active Directory server using ldapsearch from command line

Can anyone let me know if querying Active Directory server using ldapsearch, ldapadd, ldapdelete, etc. utilities is possible or not?

Read More
How do I clone an OpenLDAP database

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go: I'm supposed to move an application from one redhat server to another, and without very good knowledge of …

Read More
Ldap error code 32

I'm trying to synchronize OpenLDAP and Active directory together. To do so I'm using a program called LSC-Project which is specified to do this sort of thing. I have configured the program the best I can however I can't find …

Read More