Specifications
Chapter 1 Directory Services with Open Directory 25
About the Structure of LDAP Entries
In an LDAP directory, entries are arranged in a hierarchical treelike structure. In some
LDAP directories, this structure is based on geographic and organizational boundaries.
More commonly, the structure is based on Internet domain names.
In a simple directory organization, entries representing users, groups, computers, and
other object classes are immediately below the root level of the hierarchy, as shown here:
dc=com
dc=example
cn=users cn=groups cn=computers
uid=anne
cn=Anne Johnson
uid=juan
cn=Juan Chavez
An entry is referenced by its distinguished name (DN), which is constructed by taking
the name of the entry, referred to as the relative distinguished name (RDN), and
concatenating the names of its ancestor entries.
For example, the entry for Anne Johnson could have an RDN of uid=anne and a DN of
uid=anne, cn=users, dc=example, dc=com.
The LDAP service retrieves data by searching the hierarchy of entries. The search can
begin at any entry. The entry where the search begins is the search base.
You can designate a search base by specifying the distinguished name of an entry
in the LDAP directory. For example, the search base cn=users, dc=example, dc=com
species that the LDAP service begin searching at the entry whose cn attribute has a
value of “users.”
You can also specify how much of the LDAP hierarchy to search below the search
base. The search scope can include all subtrees below the search base or the rst level
of entries below the search base. If you use command-line tools to search an LDAP
directory, you can also restrict the search scope to include only the search base entry.