Weird modeling in X.500/LDAP and ActiveDirectory: cn in distinguished names
By steffo on Apr 13, 2007
Over the last years I came across some common issues on the modeling in LDAP and ActiveDirectory, well, more on AD than LDAP. The first issue is on distinguished names.
I never understood why so many AD implementation use the cn rather than uid or employeeNumber as part of the distinguished name. The problem is that if there are employees with common common names like 'John Smith' the dn's look like
dn: cn=John Smith,ou=People,dc=company,dc=com
dn: cn=John J Smith,ou=People,dc=company,dc=com
dn: cn=John Smith 1,ou=People,dc=company,dc=com
dn: cn=John Smith 2,ou=People,dc=company,dc=com
This might not appear to be a problem from an LDAP perspective, but it is a problem from an identity management perspective. If John Smith gets married to Jane Miller and changes his name the key (dn) must be changed as well. Employee numbers don't change. Moreover, if the entries do not contain a company wide unique attribute at all it is difficult to tell whether 'jsmith5' on UNIX belongs to the same person as 'cn=John Smith 3' on LDAP/AD.
When an IDM is deployed, no enterprise infomation system can be anyl longer regarded as an island. Data quality is one major issue in identity management projects and improper naming convention do contribute this this issue.