LDAP general questions

Still trying to wrap my head around LDAP...

I understand it has schema's, much like a RDBMS...but what I don't understand is how a schema maps to a hierarchy.

For example, if I wanted to implement some groups/user/acl using RDBMS my tables might look something like:

users:
pkid, email, alias, password, last_login

groups:
pkid, name

groups_list:
pkid, userid, groupid

permissions:
pkid, groupid, name, value

Using DB you would make the relational association between tables and emulate structure...each table has it's own schema...

When you attempt to accomplish this in LDAP...do you basically have to nest schema's in the LDIF???

Is an LDIF analogous to a SQL file with both DDL & DML specified???

Does the schema imply hierarchial relationships in LDAP so you as the programmer do not have to worry about connecting users under certain groups? Is this not what is implied in the chaining of field names...

dn: dc, ou, etc...???

Is this not similar to xpath/css in the way you use selectors to basically start at the root of an item and work your way down until you reach the target field???

I see that LDAP is similar to Windows registry, but as a protocol is allows network access, but fundamentally it's quite similar. Storing objects/classes in a structured fashion...

Anyways, for now, I'd like to know how the schema works...

If I created a schema for users to hold user classes/objects:

users:
pkid, email, alias, password, last_login

How would I now indicate that users are assigned to groups and yet keep that group information separate, so that users can belong to multiple groups?

Would you first create the groups schema and assign a user ID to each as an array of the groups class?

Is LDAP similar to a serialized version of a object in this regard?

If you could make analogies to similar technologies like I have done above, I think that would help in my learing about LDAP.

One more thing before I forget...

If LDAP comes preloaded with (defacto) standard-ized schemas suitable for most organizations...I assume these schemas are what most LDAP exacmples for PHP I've looked at are using?

If I wanted to add to that schema though, and assign users, groups, applications, organizations, etc to an existing schema, is this possible?

For example, when an application installs on Windows, it creates it's own entries in the registry to store it's options, etc. Most applications wouldn't understand the semantics of the data but the syntax is understood/standardized so long as you use the registry API. I assume LDAP is similar???

I could basically take a well known standardized schema (say, Windows own ActiveDirectory) and apply my own users, groups, applications, organizations classes to that schema so my applications could store that informaiton in a centralized location???

Sorry for the short story - I'm just struggling to get a grasp on this and get started working on my authentication/authorization code for my applications.

Cheers