Ldapwiki: Cn

Overview#

CN (CommonName in X.500) AttributeType contains names of an LDAP Entry.
Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name.

Microsoft Active Directory Anomaly [1]#

On the ldap-nis mailing list (discussing PADL Software's software projects) it has come to light that naming attributes (particularly "cn" - "commonName", also "CN" in NDS) in AD are always single-valued; the current definition of the attribute in AD is:

http://msdn.microsoft.com/library/sdkdoc/adschema/attrdetl_0yed.htm

Note the Attribute-ID (OID), "2.5.4.3". The page also indicates that the information is subject to change (let's hope it does so).

Various members of the list (and off-list) have checked the standards and reported that the following all define the attribute (same OID) to be multi-valued (not single-valued):

IETF RFC 2256
DMTF DEN (most interesting because Microsoft was one of the founders of the DEN effort...)
ITU-T X.520(93)

Testing against some existing LDAPv3 servers Netscape Directory 4.0 and Novell EDirectory LDAPv3 shows that they accept "cn" as multi-valued.

The discussion was in relation to RFC 2307 (and whether or not AD could really be compliant with the existing schema given this - and other - limitations and namespace clashes).