Each LDAP entry is associated with a type, or object class, which determines the attributes an entry is required to contain and allowed to contain. For example, the person object class has required attributes cn and sn, and optional attributes description, seealso, telephonenumber, and userpassword.

The entry’s object class is stored in the entry itself, as the value of its objectClass attribute. When you create an LDAP entry, you must specify values for all the attributes required by the entry’s object class, and you may specify values for any optional attributes.

The object class type can be a subtype of another object class. For example, the object class organizationalPerson is a subtype of the object class person. It happens to not add any required attributes, but it adds a number of optional ones, like title, postaladdress, and so on. The base (abstract) object class that every type inherits from is called top. Its single required attribute is objectClass.

Notice that the example entry in the LDAP Data Representation section above has three values for its objectClass attribute: top, person, and organizationalPerson. The first two values seem unnecessary, because they are both ancestors of the organizationalPerson type. However, they are required because not all directory servers support type inheritance.

The objectClass values in an entry do not all have to be each other’s ancestors, however. For example, one can create an entry that is both an organizationalPerson and a mailGroupMember, which itself inherits from top. In other words, multiple inheritance of types is allowed.

loading table of contents...