Overview of Part 4
In Part 1 of this series, we examined the basics of Active Directory bind paths. In Part 2, we looked more deeply into the components of a bind path. In Part 3, we took apart the server name syntax and checked out serverless binding. In this article, we examine using distinguished names to connect to objects in Active Directory.
What is a Distinguished Name?
Active Directory uses a distinguished names (DN) as a path to uniquely identify an object in the directory. You can use a DN to hook to OU containers, user accounts, groups, schema objects and anything else stored in AD. Since AD is an LDAP directory, it stores objects in a hierarchical tree like a filesystem and you can use DNs as a sort of path syntax to hook into an object.
DN Path Syntax
DNs use a syntax similar to a filesystem path as each piece of the DN is more specific to where the object resides in the directory. Look at the following example of a DN.
CN=Test User,OU=UserContainer,DC=mydomain,DC=local
In this example, we have four components of the path, each separated by a comma. You read the DN from left to right where the leftmost component is the most specific node in the directory tree and specifies the object identified by the DN. In this case, that object is a user account with the common name (CN) of Test User.
Working to the right, we see that the Test User account is in an organizational unit (OU) called UserContainer. This container is a child of the root of the namespace, mydomain.local.
Finally, the namespace root of mydomain.local is specified by the last two components, DC=mydomain,DC=local. Technically, both the domain component (DC) values here are actually part of the same component as the combination of the two specifies the root of the namespace. In general, just remember that when you use the DNS name of a domain or forest in a DN, you need to add a “DC=” for each part of the DNS name when creating the DN.
Special DN Characters
DNs are very powerful for addressing objects in AD but sometimes you have to be careful if a directory has containers or objects that contain special characters. The following characters are reserved in AD and cannot be included in a DN unless they are escaped with the character.
<,;+/">
You also must escape the # character if it is the first character in a DN. When using any special reserved characters in a DN, you must escape them using the character. Note that spaces in a name do not need to be escaped.
Pingback: Binding to Active Directory: AD Connections De-mystified, Part 5 « Web Active Directory Blog