Building an LDAP Distinguished Name

Building an LDAP distinguished name
The object type an administrator selects when creating an object to represent a network entity depends on the purpose of the entity. Each object contains the specific information needed for it to perform its role in the network. There are many standard object types provided by Novell and often it is necessary for applications to add a new object type for special uses.

User objects contain information about the people who operate the client stations on the network. In NetWare Administrator and ConsoleOne, an object can be double-clicked to display its information. This information is read from the object's attributes. NDS objects and attributes are discussed more fully in Intro to NDS.

Tree administrators arbitrarily create, edit, and delete objects on a tree as they determine it. If you have never used NetWare Adminstrator or ConsoleOne to perform these operations and have admin rights on a test tree, log in to your test tree and attempt to create, edit, and delete some objects.

"Organization" objects like the Developer Org object in Figure 1 are often at the highest-level in the tree. There can be multiple Organization objects but this tree has only one. Organizations and "Organizational units" such as the Tech Info and Education objects in Figure 1 are called "containers". Organizational Units are the mid-level containers in the tree.

Figure 1

Administrators nest containers to represent the structure within the organization. Organizations and Organizational Units have no physical presence on the network. You can see that there are no entities in the network layout which correspond to the Organization or Organizational unit objects. They are simply conceptual NDS devices designed to help organize directory information.

Administrator's generally create user objects inside of Organizational Unit objects representing the groups in which they work. The path of Organization and Organizational Units leading to an object is actually a part of its name, like a fully qualified pathname in a file system.

An object's fully qualified pathname in a directory is called its "name context." Figure 2 shows the different kinds of name contexts that an object can have in a directory.

Figure 2

The first two name contexts listed in Figure 2 are referred to as "distinguished name contexts" because, as complete paths, they can distinguish between the Joe in Accounting and the Joe in Marketing. In LDAP the types for each step are always specified, sometimes this is referred to as typeful ("cn" refers to a leaf object's "Common Name").

A "relative name context" requires the accessing station's current context be set so that it can complete a partial reference, in order to fully distinguish a target object. For example, in the relative context example in Figure 2, current context would need to be set to:

"ou=Accounts_Receivable,ou=Accounting,o=Novell"