In the previous part of this article series, I
explained that the LDAP protocol references objects in the Active
Directory by their distinguished name, and that every object in the
directory has its own unique distinguished name. In this article, I want
to continue the discussion by explaining how distinguished names work.
Before I Begin
Before I get started, I just want to remind you
that distinguished names are not unique to the Active Directory.
Microsoft built the Active Directory to take advantage of industry
standards which are used by other companies such as Novell and IBM. By
learning how distinguished names work, you will not only be better
prepared to manage an Active Directory environment, you will also have
some degree of familiarity if you are ever asked to work with a non
Microsoft network operating system.
Basic Naming Rules
Distinguished names are made up of attributes,
which are assigned values. A single distinguished name almost always
contains multiple attribute value pairs. To see what I am talking about,
let’s look at a simple distinguished name:
CN=User1, CN=Users, DC=Contoso, DC=com
In this particular example, the distinguished name
is made up of four different attribute / value pairs, each of which are
separated by a comma. The first attribute / value pair is CN=USER1. In
this attribute / value pair, CN (which stands for Common Name) is the
attribute and User1 is the value. Attributes and values are always
separated by the equals sign, and attribute / value pairs are always
separated from each other by commas.
Relative Distinguished Names
When you look at a distinguished name such as
CN=User1, CN=Users, DC=Contoso, DC=com, one thing probably becomes
immediately apparent; distinguished names can be really long. If you
take a closer look at this distinguished name, you will notice that it
is hierarchical. In this particular case, DC=com represents the highest
level of the hierarchy. DC=Contoso represents the second level of the
hierarchy. You can tell that COM and Contoso are both domains because
both use the DC attribute. The domain hierarchy mimics the domain
hierarchy used by DNS servers (you learned about the DNS hierarchy
earlier in this series).
It is important to understand how the distinguished
name hierarchy works for two reasons. First, by understanding the
naming hierarchy, it becomes possible to know exactly where a particular
object is located within the directory. The other reason why it is
important to understand the nature of the directory hierarchy is because
sometimes shortcuts are used in lieu of a full distinguished name.
To see what I am talking about, let’s take another
look at our example distinguished name: CN=User1, CN=Users, DC=Contoso,
DC=com. This distinguished name simply refers to a user account (more
precisely known as a user object) named User1. The rest of the
information in the distinguished name simply tells us the object’s
position within the directory hierarchy.
If you were trying to tell another person about
this object, you would probably casually refer to it as User1. Sometimes
LDAP does the same thing. This is possible because it isn’t necessary
to provide information about an object’s location in the hierarchy if
the location is already known.
For example, if we are performing some operation on
user objects located in the Users container in the Contoso.com domain,
is it really necessary to explicitly state that every single object is
located in the Contoso.com domain’s Users container?
In situations like this, the distinguished name is
often replaced by a Relative Display Name (abbreviated RDN). In the case
of CN=User1, CN=Users, DC=Contoso, DC=com, the RDN is CN=User1. The RDN
is always made up of the most specific identifier. This will be the
left most attribute / value pair in the distinguished name. The
remaining portion of the distinguished name is known as the parent
distinguished name. In this particular case, the parent distinguished
name would be CN=Users, DC=Contoso, DC=com.
Before I move on, I want to mention that Microsoft
tends to use a slightly different distinguished name format than some
other network operating system manufacturers. As you have already seen,
Microsoft’s distinguished names tend to be based on containers and
domains. There is certainly nothing wrong with this format, because it
does comply with RFC 2253, which sets the rules for distinguished names.
Some of the other network operating systems tend to
base their distinguished name hierarchies on companies and countries
rather than containers and domains. In these types of distinguished
names, the attribute O is used to designate an organization (company)
name, and the letter C is used to designate a country name. Using this
naming convention, the distinguished name CN=User1, CN=Users,
DC=Contoso, DC=com would look something like this:
CN=User1, O=Contoso, C=US
Keep in mind that the two formats both comply with
RFC 2253, but they cannot be used interchangeably. Remember that a
distinguished name’s job is to describe an object and its position
within the directory. The reason for the two different distinguished
name formats is that Microsoft structures their directory differently
than some of their competitors.
Special Characters in Distinguished Names
So far you have seen that commas and equal signs
have special meaning in the context of a distinguished name. There are
several other characters that also have special meanings. These
characters include the plus sign, the greater than and less than signs,
the number sign, the back slash, and the quotation mark. I’m not going
to bother covering most of these because you will rarely, if ever, have
to use them in real life.
I do however want to talk about the back slash. The
back slash allows you to tell an LDAP statement to ignore the following
character. This allows you to store otherwise forbidden characters in
your directory.
To see how this is of use, consider that full names
are often expressed as last name comma first name. Even so, LDAP does
not allow you to use the statement CN=Smith, John because the comma is
used by LDAP to separate attribute / value pairs. If you wanted to store
the value Smith, John in the directory, you could do so by making use
of the back slash, as shown below:
CN=Smith\, John
In the statement above, the back slash tells LDAP
to treat the comma as data rather than as a part of the command syntax.
Another way to accomplish this is to surround the entire attribute value
by quotation marks. Everything within the quotation marks is treated as
data rather than as a part of the syntax.
There is a special rule regarding the use of the
back slash within quotation marks. The back slash can only be used to
force LDAP to ignore another back slash. To put it simply, if you needed
to include a back slash as a part of the data, you would simply use two
back slashes instead of one. Any other use of the back slash between
quotation marks is considered to be illegal.
Conclusion
As you can see, the rules for creating a
distinguished name can be a bit tricky. Even so, having a basic
understanding of distinguished names is key to effectively managing an
Active Directory environment. In Part 11, I will continue the discussion
by demonstrating some of the Active Directory management tools.
No comments:
Post a Comment