What are the best practices for choosing an RDN when creating new objectClasses in LDAP? I know you can choose from uid, cn, ou, and so on, but what practices should one follow?
Perhaps it may be more wise to use one of the pre-defined objectClasses instead of creating a new one. Here is a list of commonly used derived classes.
When using OpenLDAP you can choose any attribute as RDB that is allowed on the object (according to its objectClasses) but on ActiveDirectory the RDN attribute is defined in the appropriate schema - so you don't have a choice when using pre-defined classes.
When you have the choice (using OpenLDAP or using your own schema on ActiveDirectory), I'd suggest to use a RDN that effectively identifies the underlying entry (naturally your RDN must be unique within the children of a given subtree). OpenLDAP also allows for the use of multi-valued RDNs if you a single RDN-attribute is not sufficient to uniquely identify a given entry:
cn=Robert Smith+uid=rsmith,ou=people,dc=example,dc=com
The RDN is essentially (part of) your primary key. The same principles apply:
- Something unique about the entry (or a combination of things).
- Something that doesn't change (or doesn't change very often).