difference between cn and ou in ldap

2
votes

My Directory experience until now was originally Novell's NDS and eDirectory, and more recently, MS Active Directory, but now I'm now having to work directly with ldap (OpenLdap 2.4 on Zimbra.)

I'm more than a little confused with the naming in ldap, and I really haven't been able to find what I'm looking for in numerous google searches:

In eDir and AD, when an object was labeled with the cn= it was a leaf object, while an object labeled with ou= was a container object. But that doesn't seem to be the case in ldap.

For instace, let's say I want to list the installed schemas in my dit, I can use the command:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

The results returned are: 

dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config

Is there documentation explaining why the objects schema and config, which are clearly container objects, are still labeled as cn? Or can someone please just explain to me when to use the cn label on container objects, rather than the ou label?

Maybe this is documented in a book I just ordered from Amazon, "The ABCs of LDAP" by R. Voglmaier from Amazon. It should be arriving sometime next week.

2
ldapnaming

2 Answers

1
votes

Leaf and non-leaf have nothing to do with it.

  • CN stands for Common Name and is an attribute of several person-related classes such as inetOrgPerson. But there's nothing stopping it being an attribute of other classes, such as organizationalRole.
  • OU stands for Organizational Unit and is an attribute of the organizationalUnit class.
  • In both cases the attribute forms part of the DN of an object of those classes.

You would normally expect an object with OU to be a non-leaf, and a person to be a leaf, but there is nothing inherent about it.

0
votes

i can understand your confusion bit you took the most complicated thing to try to understand it, as the config-branch of OpenLDAP is a special thing.

One thing to keep in mind us that the objectclass of an entry (and I always try to avoid calling them "leaves" or "containers") defines whether an OU or CN should or can be an attribute of it. Depending on the set objectclasses it might be possible (not necessarily usefull) to have both attributes in an entry.

So if you beed to know whether to use CN or OU, have a look at the objectclass.

By convention the OU is used to describe an OrganizationalUnit like a department inside a larger organization whereas the CommonName can be used for vitually anything. And as you are looking and trying to understand the LDAP information in the config-part of the LDAP there is not really any Organizational unit available. therefore there are no OUs defined.

I'm trying to avoid those "leaf" and "container" naming as it implies that a container is just a collection of things without informstions attached which in LDAP might not be the case. A "Container" might have more attributes available than the entries "stored inside".

There is also a great book from O'Reilly about LDAP-Administration which might be interesting.

Hope that helps somewhat.