Multivalued and Multiple-Attribute RDNs

[RFC2253] section 2 defines the following grammar rule for RelativeDistinguishedName, which explicitly allows RDNs to contain multiple attributes and values:

  • RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

Active Directory is conformant with this rule, with the restriction that MAX equals 1 within the scope of the rule. As a result, multivalued RDNs that consist of multiple attributes (sometimes referred to as "multi-AVA RDNs"), or multiple instances of the same attribute, are both disallowed in Active Directory. An attempt to create such a DN is considered an attempt to create a syntactically invalid DN, and returns the error invalidDNSyntax / ERROR_DS_BAD_NAME_SYNTAX. For example, assuming that F is a multivalued attribute of String(Unicode) syntax, the following two DNs are both disallowed because they contain multivalued RDNs:

  • F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com

  • F=John Smith+l=Redmond, OU=Users,DC=Fabrikam,DC=com

(Note that, if it is assumed that these DNs represent an object of a class C for which C!rDNAttID = F, the second example is also disallowed because it contains the l attribute in the RDN. The server will return a namingViolation  / <unrestricted> error when an attempt is made to add an object of class C whose RDN contains a different AttributeType than that declared in C!rDNAttID.)