CN (CommonName in X.500) AttributeType contains names of an LDAP Entry.
Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name.

Microsoft Active Directory Anomaly[1]#

On the ldap-nis mailing list (discussing PADL Software's software projects) it has come to light that naming attributes (particularly "cn" - "commonName", also "CN" in NDS) in AD are always single-valued; the current definition of the attribute in AD is:


Note the Attribute-ID (OID), "". The page also indicates that the information is subject to change (let's hope it does so).

Various members of the list (and off-list) have checked the standards and reported that the following all define the attribute (same OID) to be multi-valued (not single-valued):

  • IETF RFC 2256
  • DMTF DEN (most interesting because Microsoft was one of the founders of the DEN effort...)
  • ITU-T X.520(93)

Testing against some existing LDAPv3 servers Netscape Directory 4.0 and Novell EDirectory LDAPv3 shows that they accept "cn" as multi-valued.

The discussion was in relation to RFC 2307 (and whether or not AD could really be compliant with the existing schema given this - and other - limitations and namespace clashes).

LDAP Attribute Definition#

The Cn AttributeTypes is defined as:

