LDAP Directory Concepts

The directory is an inverted tree of objects.

Each object can contain one or more attributes.

ObjectClass determines what attributes an object must have or may have.

Each object can belong to one or more ObjectClasses.

Each object in the tree must be distinguished by have a unique DN.

The DN determines the location of the object in the tree.

The schema contains the definitions of ObjectClass and attributes.

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
        DESC 'Abstraction of a group of accounts'
        SUP top STRUCTURAL
        MUST ( cn $ gidNumber )
        MAY ( userPassword $ memberUid $ description ) )

The above means for a posixGroup ObjectClass, the cn and gidNumber attributes are mandatory, while attributes userPassword, memberUid and description are optional.

# demo1, people, example.com
dn: uid=demo1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson  <--------------\ this object will have attributes
objectClass: posixAccount   <--------------/  of these 2 ObjectClasses
cn: John Doe
cn: demo1
sn: Doe
uid: demo1  <------------------------------ attribute from both inetOrgPerson and posixAccount
telephoneNumber: 9001-1234
mail: demo1@el5.example.com  <------------- attribute from inetOrgPerson
description: A demo account
userPassword:: e1NTSEF9Z2hVSW9CL2lTWEVmNElUVFZTWmpCa3dZejNtSXd2WGQ=
gidNumber: 500
homeDirectory: /home/demo1
uidNumber: 500
loginShell: /bin/bash  <------------------- attribute from posixAccount

Also, ObjectClasses can have overlapped attributes. In the above object, amongst others, uid is defined in both ObjectClasses.