LDAP data model - restrictions on RDN's

[Dan Weinreb <dlw@exceloncorp.com>]

I was wondering if someone could help me with a question about LDAP.
I'm trying to understand LDAP's data model.  I've read two books on
LDAP ("Implementing LDAP" and "Understanding and Deplying LDAP
Directory Services") and I've looked at the RFC's on LDAP v3, and I
can't find the answer.

This much I understand: Every LDAP entry has a Relative Distinguished
Name.  The RDN of an entry is always of the form "att=val" where att
is the name of an attribute, and the entry has an attribute named
"att", and one of the values of the attribute is "val".  Please
correct me if this isn't right.

I was surprised to find that nowhere in the LDAP schema does it say
anything about which attributes can or should or must be used to form
the RDN.  (I gather X.500 has something called a "name form" which
looks as if it might be relevant, but that concept does not seem to be
in LDAP.)  When you create a new LDAP entry, can you select any
attribute (and any value of that attribute) of the entry to form the
RDN?

For example, could there be an entry of objectClass 'person' whose RDN
was "sn=foo" and another entry of objectClass 'person' whose RDN was
"cn=foo", both in the same LDAP database?  How about if both have the
same DN other than the first RDN, i.e. they are siblings in the DIT?

(I certainly realize why this is a bad idea and I'm not particularly
contemplating doing it; I just want to understand the LDAP data
model.)

For that matter, if you have a set of "sibling" entries, need they
have anything in common *beyond* having the same DN other than the
first RDN?  Can they be of unrelated objectClasses?

Thanks very much!

Dan Weinreb
Software Architect and co-founder
eXcelon Corp.
dlw@exceloncorp.com