Choosing an RDN for new objectClasses in LDAP?

Question

What are the best practices for choosing an RDN when creating new objectClasses in LDAP? I know you can choose from uid, cn, ou, and so on, but what practices should one follow?

Answer 1

The RDN is essentially (part of) your primary key. The same principles apply:

• Something unique about the entry (or a combination of things).
• Something that doesn't change (or doesn't change very often).

Answer 2

When using OpenLDAP you can choose any attribute as RDN that is allowed on the object (according to its objectClasses) but on ActiveDirectory the RDN attribute is defined in the appropriate schema - so you don't have a choice when using pre-defined classes.

When you have the choice (using OpenLDAP or using your own schema on ActiveDirectory), I'd suggest to use a RDN that effectively identifies the underlying entry (naturally your RDN must be unique within the children of a given subtree). OpenLDAP also allows for the use of multi-valued RDNs if you determine a single RDN-attribute is not sufficient to uniquely identify a given entry:

cn=Robert Smith+uid=rsmith,ou=people,dc=example,dc=com