9/9/2019 active directory - What are CN, OU, DC in an LDAP search?

- Stack Overflow

What are CN, OU, DC in an LDAP search?

Asked 5 years, 11 months ago Active 6 months ago Viewed 599k times

I have a search query in LDAP like this. What exactly does this query mean?

439 ("CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com");

active-directory ldap ldap-query

165 edited Feb 21 at 12:08 asked Sep 12 '13 at 6:16

Ayed Mohamed Amine Ritesh Chandora
387 8 26 3,727 4 16 32

5 It does not work, You do not have a proper LDAP Query. What you have is a fully distinguished name probably from a
Active Directory Entry. Perhaps you should explain what you are trying to accomplish. – jwilleke Sep 13 '13 at 8:14

2 Answers

CN = Common Name
OU = Organizational Unit
775 DC = Domain Component

These are all parts of the X.500 Directory Specification, which defines nodes in a LDAP directory.

You can also read up on LDAP data Interchange Format ( LDIF ), which is an alternate format.

You read it from right to left, the right-most component is the root of the tree, and the left most component is
the node (or leaf) you want to reach.

Each = pair is a search criteria.

With your example query

("CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com");

In effect the query is:

From the com Domain Component, find the google Domain Component, and then inside it the gl Domain
Component and then inside it the gp Domain Component.

In the gp Domain Component, find the Organizational Unit called Distribution Groups and then find the
the object that has a common name of Dev-India .

edited Jan 25 '16 at 0:20 answered Sep 12 '13 at 6:27

mkobit Burhan Khalid
24.7k 6 99 116 130k 16 171 227

By using our site,

4 These areyou acknowledge
all part thatDirectory
of the X.500 you have read and understand
specification, Distinguised ourName
Cookie Policy, Privacy
component. NothingPolicy, and our
specifically to do with
LDIF
Terms of Service. at all. LDIF is not "how the LDAP tree is 'filtered'": that's the LDAP syntax specification, which is another thing
altogether. – user207421 Mar 24 '15 at 9:09
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search 1/3
 9/9/2019 active directory - What are CN, OU, DC in an LDAP search? - Stack Overflow
TIL X.509 is an extension of X.500, eg TLS is based on LDAP :grumpycat: (This is a huge oversimplification) –
ThorSummoner Aug 24 '17 at 21:38

@EJP How do I ask for several objects by their CN? Like if I want Dev-India2 along with Dev-India ? – arrowd Nov
29 '17 at 17:12

What are CN, OU, DC?

From RFC2253 (UTF-8 String Representation of Distinguished Names):

444

String X.500 AttributeType

------------------------------
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid

What does the string from that query mean?

The string ( "CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com" ) is a path from an

hierarchical structure (DIT = Directory Information Tree) and should be read from right (root) to left (leaf).

It is a DN (Distinguished Name) (a series of comma-separated key/value pairs used to identify entries

uniquely in the directory hierarchy). The DN is actually the entry's fully qualified name.

Here you can see an example where I added some more possible entries.
The actual path is represented using green.

The following paths represent DNs (and their value depends on what you want to get after the query is run):

"DC=gp,DC=gl,DC=google,DC=com"

"OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com"

"OU=People,DC=gp,DC=gl,DC=google,DC=com"

"OU=Groups,DC=gp,DC=gl,DC=google,DC=com"

"CN=QA-USA,OU=Distribution
By using our site, you acknowledge that Groups,DC=gp,DC=gl,DC=google,DC=com"
you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.
"CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com"
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search 2/3
9/9/2019 active directory - What are CN, OU, DC in an LDAP search? - Stack Overflow
"CN=Ted Owen,OU=People,DC=gp,DC=gl,DC=google,DC=com"

answered Nov 27 '15 at 16:18

ROMANIA_engineer
37.3k 20 164 154

Any idea why you may get an empty remaining name? For this there is actually an open bounty on it – A_Di-Matteo
Sep 12 '16 at 21:24

@ROMANIA_engineer, if I am logged in my windows machine (client) where can I get this information? –
Artanis Zeratul Jul 31 '18 at 3:30

I know this post is quite old, yet, for the googlers (like me) that search for an answer on @ArtanisZeratul question for
the information: this answer helped me on that, if you look for the servers just try with nslookup: nslookup -type=srv
_ldap._tcp.MY.DOMAIN – Rüdiger Dec 17 '18 at 12:23

@Rüdiger, cool! thanks a lot for your info. I will sure try that later :) – Artanis Zeratul Dec 17 '18 at 21:36

Also, for those that need deeper information about the structure of the AD they're in (and do not have something like an
Admin Console to look it up) you can use the ADSI editor provided by Windows (access via MMC) - how to access
ADSI Edit – Rüdiger Dec 17 '18 at 22:02

protected by Community ♦ Jan 21 '17 at 16:52

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be
removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.
https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search 3/3