LDAP schema
A directory entry contains information about a particular entity, or object -- for example, a person or a group -- and is associated with a distinguished name. An LDAP schema is a set of rules that define what can be stored as entries in an LDAP directory. Each LDAP directory has a default schema, which organizations can customize, or "extend," by adding elements to it. The elements of a schema are attributes, syntaxes, and object classes. LDAP directory servers provide the ability to enforce the schema to ensure that directory changes made using LDAP operations conform to it.
Attributes
An
attribute defines a piece of information that directory entries contain.
For example, some common attributes for entries related to people
are cn (common name), telephoneNumber,
and userPassword.
An attribute is either mandatory or optional for a particular type of entry. When an attribute is mandatory and directory administrators use schema-checking to enforce the schema, administrators must provide a value for the attribute when they add or modify the entries using LDAP operations. An attribute can also be defined to allow multiple values (default) or just one value.
Multiple types of directory entries can use the same attribute.
Object classes
An object class defines a set of attributes for a type of directory entry. Two or more object classes in an object class hierarchy define the attributes for a type of entry. An object class inherits attributes from all parent object classes in the hierarchy and then adds attributes of its own; for example:
Object class 1: adds attribute A
Object class 2: inherits attribute A and adds attributes B, C, and D
Object class 3: inherits attributes A, B, C, and D, and adds attributes E and F
There are three types of object classes: abstract, structural, and auxiliary.
Abstract object classes
An abstract object class
defines an attribute or set of attributes that all object classes
in an object class structure inherit. Every object class structure
must have an abstract object class as the top-level object class.
A default LDAP schema typically uses the abstract object class top,
which includes only one attribute, objectClass, which
defines an object class for each entry in the directory.
Structural object classes
A structural object class defines a type
of object entry in an LDAP directory. Examples of structural object
classes are person, organizationalPerson,
and inetOrgPerson. An object class structure must
include at least one structural object class.
Auxiliary object classes
An auxiliary object class adds attributes to another object class, usually a structural object class. An auxiliary object class is useful for defining a set of attributes used by multiple object classes. An auxiliary object class usually inherits from the abstract object class top. Object classes can't inherit attributes from an auxiliary object class. Instead, you must add an auxiliary object class to each object class that uses it.
Syntaxes
A syntax defines the data format in which an attribute value is stored. Directory String, Integer, and JPEG are examples of standard LDAP syntaxes.