You must understand the following concepts in order to work with the LDAP Access Service:
o=XYZ Corp
telephoneNumber=1-800-787-2218,1-212-402-3390
Each name-value pair can be said to represent a hierarchical node in the DIT. The hierarchy begins at the right and continues to the left, so that in the example above, the first node is c=US, then o=XYZ Corp, and so on. Basically, a data entry in a DIT is identified uniquely by combining its own name-value pair with the name-value pair of its parent entries, in an ascending hierarchy, from left to right.
ou=Finance,o=XYZ Corp,c=US
o=XYZ Corp,c=US
o=XYZ Corp,c=US
Unlike for distinguished names, the name-value pairs in a root suffix do not correspond to actual directory entries; in other words a root suffix cannot be broken down into sub-entries. An administrator would be responsible for creating root suffixes in a LDAP directory, and would define the whole suffix at once, for example as o=XYZ Corp,c=US, instead of first defining the entry c=US, then another one underneath it called o=XYZ Corp.
cn=John Doe,ou=Finance
telephone : 1-800-232-5672,1-808-212-3434