Conversation about "OpenMRS ID" refers to two major components:
While data on users exist in some other places, the user data represented in OpenLDAP is the master record. All other OpenMRS ID-backed services, through some manner or another, must sync their user data with those data in OpenLDAP.
The collective "OpenMRS ID" refers to this system of user management used by the OpenMRS community. An individual user in the system (a person with a username and password) is said to have a single "OpenMRS ID".
Entries are objects that make up the entirety of the LDAP database. Each entry has a position in the hierarchy of objects, and contains a set of attributes that hold the information represented by that object. For example user entries have attributes such as first name, username, and email address, and are children of an "organizational unit" object for users. Entries are identified by their DN (Distinguished name), which is a combination of an attribute from that entry (called the RDN), and the parent entry's DN.
For more information, read the Directory Structure section from Wikipedia's LDAP article.
The diagram below visualizes the hierarchy formed by all OpenMRS ID LDAP entries. Remember that all nodes in the diagram are LDAP entries—each entry is simply the child of another (excluding the top-level root entry, which all other entries descend from).
The LDAP protocol specifies operations that can be performed on entries in the system. Example operations include 'add', 'delete', and 'modify'. Operations like 'add' and 'modify' are sent along with a list of attributes that are used to construct or change an entry in the system.
In the OpenMRS Community, direct access to the LDAP server is restricted. Only a few applications—namely, the ID Dashboard and Atlassian Crowd—are able to read the database and modify entries. These applications identify themselves to the LDAP server by authenticating as a system account. Because most other applications (JIRA, Confluence, Discourse, etc.) get user data from Crowd or the Dashboard, there's no need to expose the LDAP server to them.