1.Distinguished names (DNs)DN名


cn=Ben Gray,ou=editing,o=New York Times,c=US  

cn=Lucille White,ou=editing,o=New York Times,c=US

cn=Tom Brown,ou=reporting,o=New York Times,c=US

Relative Distinguished Name (RDN) .例如Cn=Tom brown就是RDN

值里头如果有特殊字符, =  +  <  >  #  ;  \ 、"  使用转义字符\。

DNs and RDNs - Tree Hierarchy 








2.Pseudo DNs 



IBM DS支持三种Pseudo DN

access-id: CN=THIS 


group: CN=ANYBODY 



Example 1
Consider the following ACL for object: cn=personA, c=US
AclEntry: access-id: CN=THIS:critical:rwsc AclEntry: group: CN=ANYBODY: normal:rsc AclEntry: group: CN=AUTHENTICATED: sensitive:rcs
User Binding asWould receive
cn=personA, c=USnormal:rsc:sensitive:rcs:critical:rwsc
cn=personB, c=USnormal:rsc:sensitive:rsc

In this example, personA receives permissions granted to the "CN=THIS" ID, and permissions given to both the "CN=ANYBODY" and "CN=AUTHENTICATED" pseudo DN groups. 

 Example 2

Consider the following ACL for object: cn=personA, c=US AclEntry: access-id:cn=personA, c=US: object:ad
AclEntry: access-id: CN=THIS:critical:rwsc AclEntry: group: CN=ANYBODY: normal:rsc AclEntry: group: CN=AUTHENTICATED: sensitive:rcs
For an operation performed on cn=personA, c=US:
User Binding asWould receive
cn=personA, c=USobject:ad:critical:rwsc
cn=personB, c=USnormal:rsc:sensitive:rsc
In this example, personA receives permissions granted to the "CN=THIS" ID, and those given to the DN itself "cn=personA, c=US". Note that the group permissions are not given because there is a more specific aclentry ("access-id:cn=personA, c=US") for the bind DN ("cn=personA, c=US").

3. 目录的层次结构

An example of an LDAP directory structure LDAP Object Model


例如电话号码和姓氏,这些object class都预先定义在schema中。

每个条目的objectclass是必须的,属性有些是可选的。有些定义为是必须的。 属性取值可以是单个value,



dn: cn=John Smith,o=My Company,c=US  

objectclass: inetorgperson

sn: Smith

cn: John Smith

cn: Jack Smith

cn: Johnny Smith

可以方便的搜索到这个人,不管是搜john还是jack 都可以返回相同的结果





所有object class 都继承自抽象object class:top 

4.目录服务器和客户端 c/s模型




一个DS 服务器可以有多个后缀。预定义的suffix:



7.OID-Object identifier 对象标示符

 十进制数字形式的字符串,用来表示一个唯一的object,例如object class或者属性。

如果你没有一个OID ,可以用属性名或者objectcalsee名字后面加上-OID来代表OID



  • Register the objects with an authority. This strategy can be convenient, for example, if you need a small number of OIDs.
  • Obtain an arc (an arc is an individual subtree of the OID tree) from an authority and assign your own OIDs as needed. This strategy may be preferred if many OIDs are needed, or OID assignments are not stable.

 The American National Standards Institute (ANSI) is the registration authority for organization names in the United States under the global registration process established by International Standards Organization (ISO) and International Telecommunication Union (ITU). More information about organization name registration can be found at the ANSI Web site Link outside the Information Center (www.ansi.org). The ANSI OID arc for organizations is 2.16.840.1. ANSI will assign a number (NEWNUM), creating a new OID arc: 2.16.840.1.NEWNUM.


 In most countries or regions, the national standards association maintains an OID registry. As with the ANSI arc, these are generally arcs assigned under the OID 2.16. It may take some investigation to find the OID authority for a particular country or region. The national standards organization for your country or region may be an ISO member. The names and contact information of ISO members can be found at the ISO Web site Link outside the Information Center (www.iso.ch).

The Internet Assigned Numbers Authority (IANA) assigns private enterprise numbers, which are OIDs, in the arc IANA will assign a number (NEWNUM) so that the new OID arc will be These numbers can be obtained from the IANA Web site Link outside the Information Center(www.iana.org).



Root bind DNstringname of administrative account on LDAP server (e.g. cn=Manager,dc=test,dc=org)



 From an LDAP perspective, there are two frameworks for authenticating to LDAP:

  • Simple bind, in which an application provides a DN and the clear text password for that DN
  • Simple Authentication and Security Layer (SASL), which provides several additional authentication methods, including CRAM-MD5, EXTERNAL, GSSAPI, and OS400-PRFTKN.

 Simple bind (and CRAM-MD5)

To use a simple bind, the client must supply the DN of an existing LDAP entry and a password which matches the userPassword attribute for that entry. For example, you could create an entry for John Smith as follows:

sample.ldif:         dn: cn=John Smith,cn=users,o=acme,c=us         objectclass: inetorgperson         cn: John Smith         sn: smith         userPassword: mypassword  ldapadd -D cn=administrator -w secret -f sample.ldif

 ldapadd -D cn=administrator -w secret -f sample.ldif

 You can now use the DN "cn=John Smith,cn=users,o=acme,c=us" in access control, or make it a member of a group used in access control.

Several predefined objectclasses allow userPassword to be specified, including (but not limited to): person, organizationalperson, inetorgperson, organization, organizationalunit, and others.





