LDAP Entry


An entry is the structure that holds information in a directory server. It consists of the following components:
  • A DN that uniquely identifies the entry among all other entries in the server.
  • A collection of object class values that are used to govern the contents of the entry.
  • A collection of attributes values that contain the actual data for the entry.

Every entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class.

The Collection of object classes determines the available attributes for the entry. The Collection of object class determines define a set of required attributes, which must be present in the entry, and possibly OPTIONAL attributeTypes, which may be included in the entry but are not required.

Structure of an LDAP Entry (RFC 4512)#

An LDAP Entry consists of a set of AttributeTypes that hold information about the object that the LDAP Entry represents. Some attributeType represent user information and are called user attributes. Other attributes represent operational and/or administrative information and are called operational attributes.

An attributeType is an attribute description with 0 or more Attribute Options with one or more associated values. An attributeType is often referred to by its attribute description. For example, the 'givenName' attributeType is the attribute that consists of the attribute description 'givenName' (the 'givenName' attribute type RFC 4519 and zero Attribute Options) and one or more associated values.

The attributeType governs whether the attribute can have multiple values, the LDAPSyntaxes and matching Rules used to construct and compare values of that attribute, and other functions. Attribute Options indicate subtypes and other functions.

Attribute values conform to the defined LDAPSyntaxes of the attribute type.

No two values of an attributeType may be equivalent. Two values are considered equivalent if and only if they would match according to the EQUALITY matching Rule of the attributeType. Or, if the attributeType is defined with no EQUALITY matching Rule, two values are equivalent if and only if they are identical. (See RFC 4512 2.5.1 for other restrictions.)

For example, a 'givenName' attributeType can have more than one value, they must be Directory Strings, and they are case-insensitive. A 'givenName' attributeType cannot hold both "John" and "JOHN", as these are equivalent values per the equality matching rule of the attribute type.

Additionally, no attribute is to have a value that is not equivalent to itself. For example, the 'givenName' attribute cannot have as a value a directory string that includes the REPLACEMENT CHARACTER (U+FFFD) code point, as matching involving that directory string is Undefined per this attribute's equality matching rule.

When an attributeType is used for naming of the entry, one and only one value of the attribute is used in forming the Relative Distinguished Name. This value is known as a Distinguished Value.

More Information#

There might be more information for this subject on one of the following: