A DN identifies an entry in an LDAP directory. Because directories are hierarchical, DNs identify the entry by its location as a path in a hierarchical tree (much as a path in a file system identifies a file).

Generally, a DN begins with a specific common name, and proceeds with increasingly broader areas of identification until the country name is specified. DNs are typically made up of the following components (which are defined in the X.520 standard):

CN=common name, OU=organizational unit, O=organization, L=locality, ST=state or province, C=country name

The root distinguished name, or root DN, is the first, or top-most, entry in an LDAP directory tree. In Netscape Directory Server, the root DN is commonly referred to as the directory manager. By default, the root DN uses no suffix; it is simply a common name attribute-data pair: CN=Directory Manager. For example, the root entry's DN could look like this: CN=Directory Manager, O=Siroe Corporation, C=US.

The base distinguished name, or base DN, identifies the entry in the directory from which searches initiated by LDAP clients occur. The base DN is often referred to as the search base. For example, if you specify a base DN of OU=people, O=siroe.com for a client, the LDAP search operation initiated by the client examines only the OU=people subtree in the O=siroe.com directory tree.

Typically, an LDAP search consists of the following components:

The base DN—for example, O=Siroe, C=US, which initiates a sub-tree search through all entries below this entry in the directory (in other words, all entries with the suffix O=Siroe, C=US).

The search type, which can be a base search (only the entry specified by the base DN is searched), a one-level search (only entries one level below the base entry are searched), or a sub-tree search (all entries at all levels below the base entry are searched).

The search filter, which specifies the search criteria applied to each entry within the scope of the search.

When Certificate Management System is configured for LDAP publishing, the search point and search criteria are determined by the configuration parameter values. In the absence of a base DN value, Certificate Management System uses DN components in the certificate's subject name to construct the base DN so that it can search the directory in order to publish to or update the appropriate directory entry.