ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyunderdn.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Distinguished names (DNs)</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahyunderdn"></a>
<h2 id="rzahyunderdn">Distinguished names (DNs)</h2>
<p>Every entry in the directory has a distinguished name (DN). The DN is the
name that uniquely identifies an entry in the directory. A DN is made up of
attribute=value pairs, separated by commas, for example:</p>
<pre class="xmp">cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US</pre>
<p>Any of the attributes defined in the directory schema can be used to make
up a DN. The order of the component attribute value pairs is important. The
DN contains one component for each level of the directory hierarchy from the
root down to the level where the entry resides. LDAP DNs begin with the most
specific attribute (usually some sort of name), and continue with progressively
broader attributes, often ending with a country attribute. The first component
of the DN is referred to as the Relative Distinguished Name (RDN). It identifies
an entry distinctly from any other entries that have the same parent. In the
examples above, the RDN "cn=Ben Gray" separates the first entry from the second
entry, (with RDN "cn=Lucille White"). These two example DNs are otherwise
equivalent. The attribute=value pair making up the RDN for an entry must also
be present in the entry. (This is not true of the other components of the
DN.)</p>
<p>Follow this example to create an entry for a person:</p>
<pre class="xmp">dn: cn=Tim Jones,o=ibm,c=us
objectclass: top
objectclass: person 
cn: Tim Jones 
sn: Jones 
telephonenumber: 555-555-1234</pre>
<p><span class="bold">DN escaping rules</span></p>
<p>Some characters have special meaning in a DN. For example, = (equals) separates
an attribute name and value, and , (comma) separates attribute=value pairs.
The special characters are <span class="bold">,</span> (comma), <span class="bold">=</span> (equals), <span class="bold">+</span> (plus), <span class="bold">&lt;</span> (less than), <span class="bold">></span> (greater than), <span class="bold">#</span> (number sign), <span class="bold">;</span> (semicolon), <span class="bold">\</span> (backslash), and <span class="bold">&quot;</span> (quotation mark,
ASCII 34).</p>
<p>A special character can be escaped in an attribute value to remove the
special meaning. To escape these special characters or other characters in
an attribute value in a DN string, use the following methods:</p>
<ol type="1">
<li>If a character to be escaped is one of the special characters, precede
it by a backslash ('\' ASCII 92). This example shows a method of escaping
a comma in an organization name:   
<pre class="xmp">CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB</pre>This is the preferred method.</li>
<li>Otherwise replace the character to be escaped by a backslash and two hex
digits, which form a single byte in the code of the character.  The code of
the character <span class="bold">must</span> be in UTF-8 code set. 
 
<pre class="xmp">CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB</pre></li>
<li>Surround the entire attribute value by <span class="bold">&quot;&quot;</span> (quotation marks) (ASCII 34), that are not part of the value.  Between
the quotation character pair, all characters are taken as is, except for the <span class="bold">\</span> (backslash). The <span class="bold">\</span> (backslash) can be used to escape a backslash (ASCII 92) or
quotation marks (ASCII 34), any of the special characters previously mentioned,
or hex pairs as in method 2.  For example, to escape the quotation marks in <tt class="xph">cn=xyz"qrs"abc</tt>, it becomes <tt class="xph">cn=xyz\"qrs\"abc</tt> or
to escape a <span class="bold">\</span>:
<pre class="xmp">"you need to escape a single backslash this way \\"
</pre>Another example, <tt class="xph">"\Zoo"</tt> is illegal, because 'Z'
cannot be escaped in this context.</li></ol>
<p><span class="bold">Pseudo DNs</span></p>
<p>Pseudo DNs are used in access control definition and evaluation. The LDAP
directory supports several pseudo DNs (for example, "group:CN=THIS" and "access-id:CN=ANYBODY"),
which are used to refer to large numbers of DNs that share a common characteristic,
in relation to either the operation being performed or the object on which
the operation is being performed. For more information on access control,
see <a href="rzahysecrf.htm#rzahysecrf">Directory Server security</a>.</p>
<p>Three pseudo DNs are supported by Directory Server:</p>
<ul>
<li>access-id: CN=THIS 
<p>When specified as part of an ACL, this DN refers
to the bindDN, which matches  the DN on which the operation is performed.
For example, if an operation is performed on the object "cn=personA, ou=IBM,
c=US" and the bindDn is "cn=personA, ou=IBM, c=US", the permissions granted
are a combination of those given to "CN=THIS" and those given to "cn=personA,
ou=IBM, c=US".</p></li>
<li>group: CN=ANYBODY 
<p>When specified as part of an ACL, this DN refers
to all users, even those that are unauthenticated. Users cannot be removed
from this group, and this group cannot be removed from the database.</p></li>
<li>group: CN=AUTHENTICATED
<p>This DN refers to any DN that has been authenticated
by the directory. The method of authentication is not considered.</p>
<a name="wq3"></a>
<div class="notetitle" id="wq3">Note:</div>
<div class="notebody">"CN=AUTHENTICATED" refers to a DN that has been authenticated
 anywhere on the server, regardless of where the object representing the DN
is located. It should be used with caution, however. For example, under one
suffix, "cn=Secret" could be a node called "cn=Confidential Material" which
has an aclentry of "group:CN=AUTHENTICATED:normal:rsc". Under another suffix,
"cn=Common" could be the node "cn=Public Material". If these two trees reside
on the same server, a bind to "cn=Public Material" would be considered authenticated,
and would get permission to the normal class on the "cn= Confidential Material"
object.</div></li></ul>
<p>Some examples of pseudo DNs:</p>
<dl>
<dt class="bold">Example 1</dt>
<dd>Consider the following ACL for object:  cn=personA, c=US  
<pre class="xmp">AclEntry: access-id: CN=THIS:critical:rwsc
AclEntry: group: CN=ANYBODY: normal:rsc
AclEntry: group: CN=AUTHENTICATED: sensitive:rcs</pre>
<a name="wq4"></a>
<table id="wq4" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">
<thead valign="bottom">
<tr class="tablemainheaderbar">
<th id="wq5" width="29%" align="left" valign="top">User Binding as</th>
<th id="wq6" width="70%" align="center" valign="top">Would receive</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td headers="wq5">cn=personA, c=US</td>
<td align="center" headers="wq6">normal:rsc:sensitive:rcs:critical:rwsc</td>
</tr>
<tr>
<td headers="wq5">cn=personB, c=US</td>
<td align="center" headers="wq6">normal:rsc:sensitive:rsc</td>
</tr>
<tr>
<td headers="wq5">Anonymous</td>
<td align="center" headers="wq6">normal:rsc</td>
</tr>
</tbody>
</table>In this example, personA receives permissions granted to the "CN=THIS"
ID, and permissions given to both the "CN=ANYBODY" and "CN=AUTHENTICATED"
pseudo DN groups.
</dd>
<dt class="bold">Example 2</dt>
<dd>Consider the following ACL for object:  cn=personA, c=US  AclEntry:
access-id:cn=personA, c=US: object:ad  
<pre class="xmp">AclEntry: access-id: CN=THIS:critical:rwsc
AclEntry: group: CN=ANYBODY: normal:rsc
AclEntry: group: CN=AUTHENTICATED: sensitive:rcs</pre>  For an operation performed
on cn=personA, c=US:
<a name="wq7"></a>
<table id="wq7" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">
<thead valign="bottom">
<tr class="tablemainheaderbar">
<th id="wq8" width="29%" align="left" valign="top">User Binding as</th>
<th id="wq9" width="70%" align="center" valign="top">Would receive</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td headers="wq8">cn=personA, c=US</td>
<td align="center" headers="wq9">object:ad:critical:rwsc</td>
</tr>
<tr>
<td headers="wq8">cn=personB, c=US</td>
<td align="center" headers="wq9">normal:rsc:sensitive:rsc</td>
</tr>
<tr>
<td headers="wq8">Anonymous</td>
<td align="center" headers="wq9">normal:rsc</td>
</tr>
</tbody>
</table>In this example, personA receives permissions granted to the "CN=THIS"
ID, and those given to the DN itself "cn=personA, c=US". Note that the group
permissions are not given because there is a more specific aclentry ("access-id:cn=personA,
c=US") for the bind DN ("cn=personA, c=US").
</dd>
</dl>
<p><span class="bold">Enhanced DN processing</span></p>
<p>A composite RDN of a DN can consist of multiple components connected by
the '+' operators. The server enhances the support for searches on
entries that have such a DN. A composite RDN can be specified in any order
as the base for a search operation.</p>
<pre class="xmp">ldapsearch -b "cn=mike+ou=austin,o=ibm,c=us" "(objectclass=*)" </pre>
<p>The server supports a DN normalization extended operation.  DN normalization
extended operations normalize DNs using the server schema.  This extended
operation might be useful for applications that use DNs. For more information
about extended operations, see <a href="rzahycontrols.htm#rzahycontrols">Controls and extended operations</a>.</p>
<p><span class="bold">Distinguished name syntax</span></p>
<p>The formal syntax for a Distinguished Name (DN) is based on RFC 2253. The
Backus Naur Form (BNF) syntax is defined as follows:</p>
<pre class="xmp">&lt;name> ::= &lt;name-component> ( &lt;spaced-separator> )
          | &lt;name-component> &lt;spaced-separator> &lt;name>

   &lt;spaced-separator> ::= &lt;optional-space>
                   &lt;separator>
                   &lt;optional-space>

   &lt;separator> ::=  "," | ";"

   &lt;optional-space> ::= ( &lt;CR> ) *( " " )

   &lt;name-component> ::= &lt;attribute>
           | &lt;attribute> &lt;optional-space> "+"
             &lt;optional-space> &lt;name-component>

   &lt;attribute> ::= &lt;string>
           | &lt;key> &lt;optional-space> "=" &lt;optional-space> &lt;string>

   &lt;key> ::= 1*( &lt;keychar> ) | "OID." &lt;oid> | "oid." &lt;oid>
   &lt;keychar> ::= letters, numbers, and space

   &lt;oid> ::= &lt;digitstring> | &lt;digitstring> "." &lt;oid>
   &lt;digitstring> ::= 1*&lt;digit>
   &lt;digit> ::= digits 0-9

   &lt;string> ::= *( &lt;stringchar> | &lt;pair> )
            | '"' *( &lt;stringchar> | &lt;special> | &lt;pair> ) '"'
            | "#" &lt;hex>


   &lt;special> ::= "," | "=" | &lt;CR> | "+" | "&lt;" |  ">"
            | "#" | ";"

   &lt;pair> ::= "\" ( &lt;special> | "\" | '"')
   &lt;stringchar> ::= any character except &lt;special> or "\" or '"'


   &lt;hex> ::= 2*&lt;hexchar>
   &lt;hexchar> ::= 0-9, a-f, A-F</pre>
<p>A semicolon (;) character can be used to separate RDNs in a distinguished
name, although the comma (,) character is the typical notation.</p>
<p>White-space characters (spaces) might be present on either side of the
comma or semicolon. The white-space characters are ignored, and the semicolon
is replaced with a comma.</p>
<p>In addition, space (' ' ASCII 32) characters can be present either before
or after a '+' or '='. These space characters are ignored when parsing.</p>
<p>The following example is a distinguished name written using a notation
that is designed to be convenient for common forms of names. First is a name
containing three components. The first of the components is a compound RDN.
A compound RDN contains more than one attribute:value pair and can be used
to distinctly identify a specific entry in cases where a simple CN value might
be ambiguous:</p>
<pre class="xmp">OU=Sales+CN=J. Smith,O=Widget Inc.,C=US</pre>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="dc.language" scheme="rfc1766" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<meta name="dc.date" scheme="iso8601" content="2005-09-06" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow"/>`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<title>Directory Server (LDAP) - Distinguished names (DNs)</title>`
			`<link rel="stylesheet" type="text/css" href="ibmidwb.css" />`
			`<link rel="stylesheet" type="text/css" href="ic.css" />`
			`</head>`
			`<body>`
			`<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->`
			`<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>`


			`<a name="rzahyunderdn"></a>`
			`<h2 id="rzahyunderdn">Distinguished names (DNs)</h2>`
			`<p>Every entry in the directory has a distinguished name (DN). The DN is the`
			`name that uniquely identifies an entry in the directory. A DN is made up of`
			`attribute=value pairs, separated by commas, for example:</p>`
			`<pre class="xmp">cn=Ben Gray,ou=editing,o=New York Times,c=US`
			`cn=Lucille White,ou=editing,o=New York Times,c=US`
			`cn=Tom Brown,ou=reporting,o=New York Times,c=US</pre>`
			`<p>Any of the attributes defined in the directory schema can be used to make`
			`up a DN. The order of the component attribute value pairs is important. The`
			`DN contains one component for each level of the directory hierarchy from the`
			`root down to the level where the entry resides. LDAP DNs begin with the most`
			`specific attribute (usually some sort of name), and continue with progressively`
			`broader attributes, often ending with a country attribute. The first component`
			`of the DN is referred to as the Relative Distinguished Name (RDN). It identifies`
			`an entry distinctly from any other entries that have the same parent. In the`
			`examples above, the RDN "cn=Ben Gray" separates the first entry from the second`
			`entry, (with RDN "cn=Lucille White"). These two example DNs are otherwise`
			`equivalent. The attribute=value pair making up the RDN for an entry must also`
			`be present in the entry. (This is not true of the other components of the`
			`DN.)</p>`
			`<p>Follow this example to create an entry for a person:</p>`
			`<pre class="xmp">dn: cn=Tim Jones,o=ibm,c=us`
			`objectclass: top`
			`objectclass: person`
			`cn: Tim Jones`
			`sn: Jones`
			`telephonenumber: 555-555-1234</pre>`
			`<p><span class="bold">DN escaping rules</span></p>`
			`<p>Some characters have special meaning in a DN. For example, = (equals) separates`
			`an attribute name and value, and , (comma) separates attribute=value pairs.`
			`The special characters are <span class="bold">,</span> (comma), <span class="bold">=</span> (equals), <span class="bold">+</span> (plus), <span class="bold"><</span> (less than), <span class="bold">></span> (greater than), <span class="bold">#</span> (number sign), <span class="bold">;</span> (semicolon), <span class="bold">\</span> (backslash), and <span class="bold">"</span> (quotation mark,`
			`ASCII 34).</p>`
			`<p>A special character can be escaped in an attribute value to remove the`
			`special meaning. To escape these special characters or other characters in`
			`an attribute value in a DN string, use the following methods:</p>`
			`<ol type="1">`
			`<li>If a character to be escaped is one of the special characters, precede`
			`it by a backslash ('\' ASCII 92). This example shows a method of escaping`
			`a comma in an organization name:`
			`<pre class="xmp">CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB</pre>This is the preferred method.</li>`
			`<li>Otherwise replace the character to be escaped by a backslash and two hex`
			`digits, which form a single byte in the code of the character. The code of`
			`the character <span class="bold">must</span> be in UTF-8 code set.`

			`<pre class="xmp">CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB</pre></li>`
			`<li>Surround the entire attribute value by <span class="bold">""</span> (quotation marks) (ASCII 34), that are not part of the value. Between`
			`the quotation character pair, all characters are taken as is, except for the <span class="bold">\</span> (backslash). The <span class="bold">\</span> (backslash) can be used to escape a backslash (ASCII 92) or`
			`quotation marks (ASCII 34), any of the special characters previously mentioned,`
			`or hex pairs as in method 2. For example, to escape the quotation marks in <tt class="xph">cn=xyz"qrs"abc</tt>, it becomes <tt class="xph">cn=xyz\"qrs\"abc</tt> or`
			`to escape a <span class="bold">\</span>:`
			`<pre class="xmp">"you need to escape a single backslash this way \\"`
			`</pre>Another example, <tt class="xph">"\Zoo"</tt> is illegal, because 'Z'`
			`cannot be escaped in this context.</li></ol>`
			`<p><span class="bold">Pseudo DNs</span></p>`
			`<p>Pseudo DNs are used in access control definition and evaluation. The LDAP`
			`directory supports several pseudo DNs (for example, "group:CN=THIS" and "access-id:CN=ANYBODY"),`
			`which are used to refer to large numbers of DNs that share a common characteristic,`
			`in relation to either the operation being performed or the object on which`
			`the operation is being performed. For more information on access control,`
			`see <a href="rzahysecrf.htm#rzahysecrf">Directory Server security</a>.</p>`
			`<p>Three pseudo DNs are supported by Directory Server:</p>`
			`<ul>`
			`<li>access-id: CN=THIS`
			`<p>When specified as part of an ACL, this DN refers`
			`to the bindDN, which matches the DN on which the operation is performed.`
			`For example, if an operation is performed on the object "cn=personA, ou=IBM,`
			`c=US" and the bindDn is "cn=personA, ou=IBM, c=US", the permissions granted`
			`are a combination of those given to "CN=THIS" and those given to "cn=personA,`
			`ou=IBM, c=US".</p></li>`
			`<li>group: CN=ANYBODY`
			`<p>When specified as part of an ACL, this DN refers`
			`to all users, even those that are unauthenticated. Users cannot be removed`
			`from this group, and this group cannot be removed from the database.</p></li>`
			`<li>group: CN=AUTHENTICATED`
			`<p>This DN refers to any DN that has been authenticated`
			`by the directory. The method of authentication is not considered.</p>`
			`<a name="wq3"></a>`
			`<div class="notetitle" id="wq3">Note:</div>`
			`<div class="notebody">"CN=AUTHENTICATED" refers to a DN that has been authenticated`
			`anywhere on the server, regardless of where the object representing the DN`
			`is located. It should be used with caution, however. For example, under one`
			`suffix, "cn=Secret" could be a node called "cn=Confidential Material" which`
			`has an aclentry of "group:CN=AUTHENTICATED:normal:rsc". Under another suffix,`
			`"cn=Common" could be the node "cn=Public Material". If these two trees reside`
			`on the same server, a bind to "cn=Public Material" would be considered authenticated,`
			`and would get permission to the normal class on the "cn= Confidential Material"`
			`object.</div></li></ul>`
			`<p>Some examples of pseudo DNs:</p>`
			`<dl>`
			`<dt class="bold">Example 1</dt>`
			`<dd>Consider the following ACL for object: cn=personA, c=US`
			`<pre class="xmp">AclEntry: access-id: CN=THIS:critical:rwsc`
			`AclEntry: group: CN=ANYBODY: normal:rsc`
			`AclEntry: group: CN=AUTHENTICATED: sensitive:rcs</pre>`
			`<a name="wq4"></a>`
			`<table id="wq4" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">`
			`<thead valign="bottom">`
			`<tr class="tablemainheaderbar">`
			`<th id="wq5" width="29%" align="left" valign="top">User Binding as</th>`
			`<th id="wq6" width="70%" align="center" valign="top">Would receive</th>`
			`</tr>`
			`</thead>`
			`<tbody valign="top">`
			`<tr>`
			`<td headers="wq5">cn=personA, c=US</td>`
			`<td align="center" headers="wq6">normal:rsc:sensitive:rcs:critical:rwsc</td>`
			`</tr>`
			`<tr>`
			`<td headers="wq5">cn=personB, c=US</td>`
			`<td align="center" headers="wq6">normal:rsc:sensitive:rsc</td>`
			`</tr>`
			`<tr>`
			`<td headers="wq5">Anonymous</td>`
			`<td align="center" headers="wq6">normal:rsc</td>`
			`</tr>`
			`</tbody>`
			`</table>In this example, personA receives permissions granted to the "CN=THIS"`
			`ID, and permissions given to both the "CN=ANYBODY" and "CN=AUTHENTICATED"`
			`pseudo DN groups.`
			`</dd>`
			`<dt class="bold">Example 2</dt>`
			`<dd>Consider the following ACL for object: cn=personA, c=US AclEntry:`
			`access-id:cn=personA, c=US: object:ad`
			`<pre class="xmp">AclEntry: access-id: CN=THIS:critical:rwsc`
			`AclEntry: group: CN=ANYBODY: normal:rsc`
			`AclEntry: group: CN=AUTHENTICATED: sensitive:rcs</pre> For an operation performed`
			`on cn=personA, c=US:`
			`<a name="wq7"></a>`
			`<table id="wq7" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">`
			`<thead valign="bottom">`
			`<tr class="tablemainheaderbar">`
			`<th id="wq8" width="29%" align="left" valign="top">User Binding as</th>`
			`<th id="wq9" width="70%" align="center" valign="top">Would receive</th>`
			`</tr>`
			`</thead>`
			`<tbody valign="top">`
			`<tr>`
			`<td headers="wq8">cn=personA, c=US</td>`
			`<td align="center" headers="wq9">object:ad:critical:rwsc</td>`
			`</tr>`
			`<tr>`
			`<td headers="wq8">cn=personB, c=US</td>`
			`<td align="center" headers="wq9">normal:rsc:sensitive:rsc</td>`
			`</tr>`
			`<tr>`
			`<td headers="wq8">Anonymous</td>`
			`<td align="center" headers="wq9">normal:rsc</td>`
			`</tr>`
			`</tbody>`
			`</table>In this example, personA receives permissions granted to the "CN=THIS"`
			`ID, and those given to the DN itself "cn=personA, c=US". Note that the group`
			`permissions are not given because there is a more specific aclentry ("access-id:cn=personA,`
			`c=US") for the bind DN ("cn=personA, c=US").`
			`</dd>`
			`</dl>`
			`<p><span class="bold">Enhanced DN processing</span></p>`
			`<p>A composite RDN of a DN can consist of multiple components connected by`
			`the '+' operators. The server enhances the support for searches on`
			`entries that have such a DN. A composite RDN can be specified in any order`
			`as the base for a search operation.</p>`
			`<pre class="xmp">ldapsearch -b "cn=mike+ou=austin,o=ibm,c=us" "(objectclass=*)" </pre>`
			`<p>The server supports a DN normalization extended operation. DN normalization`
			`extended operations normalize DNs using the server schema. This extended`
			`operation might be useful for applications that use DNs. For more information`
			`about extended operations, see <a href="rzahycontrols.htm#rzahycontrols">Controls and extended operations</a>.</p>`
			`<p><span class="bold">Distinguished name syntax</span></p>`
			`<p>The formal syntax for a Distinguished Name (DN) is based on RFC 2253. The`
			`Backus Naur Form (BNF) syntax is defined as follows:</p>`
			`<pre class="xmp"><name> ::= <name-component> ( <spaced-separator> )`
			`\| <name-component> <spaced-separator> <name>`

			`<spaced-separator> ::= <optional-space>`
			`<separator>`
			`<optional-space>`

			`<separator> ::= "," \| ";"`

			`<optional-space> ::= ( <CR> ) *( " " )`

			`<name-component> ::= <attribute>`
			`\| <attribute> <optional-space> "+"`
			`<optional-space> <name-component>`

			`<attribute> ::= <string>`
			`\| <key> <optional-space> "=" <optional-space> <string>`

			`<key> ::= 1*( <keychar> ) \| "OID." <oid> \| "oid." <oid>`
			`<keychar> ::= letters, numbers, and space`

			`<oid> ::= <digitstring> \| <digitstring> "." <oid>`
			`<digitstring> ::= 1*<digit>`
			`<digit> ::= digits 0-9`

			`<string> ::= *( <stringchar> \| <pair> )`
			`\| '"' *( <stringchar> \| <special> \| <pair> ) '"'`
			`\| "#" <hex>`


			`<special> ::= "," \| "=" \| <CR> \| "+" \| "<" \| ">"`
			`\| "#" \| ";"`

			`<pair> ::= "\" ( <special> \| "\" \| '"')`
			`<stringchar> ::= any character except <special> or "\" or '"'`


			`<hex> ::= 2*<hexchar>`
			`<hexchar> ::= 0-9, a-f, A-F</pre>`
			`<p>A semicolon (;) character can be used to separate RDNs in a distinguished`
			`name, although the comma (,) character is the typical notation.</p>`
			`<p>White-space characters (spaces) might be present on either side of the`
			`comma or semicolon. The white-space characters are ignored, and the semicolon`
			`is replaced with a comma.</p>`
			`<p>In addition, space (' ' ASCII 32) characters can be present either before`
			`or after a '+' or '='. These space characters are ignored when parsing.</p>`
			`<p>The following example is a distinguished name written using a notation`
			`that is designed to be convenient for common forms of names. First is a name`
			`containing three components. The first of the components is a compound RDN.`
			`A compound RDN contains more than one attribute:value pair and can be used`
			`to distinctly identify a specific entry in cases where a simple CN value might`
			`be ambiguous:</p>`
			`<pre class="xmp">OU=Sales+CN=J. Smith,O=Widget Inc.,C=US</pre>`
			`<a id="Bot_Of_Page" name="Bot_Of_Page"></a>`
			`</body>`
			`</html>`