cn=Engineering Group
) that has
uniquemember
attributes consisting of other groups, such as
cn=Developers Group
and the cn=QA Group
respectively.
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=Groups,dc=example,dc=com uniquemember: cn=QA,ou=Groups,dc=example,dc=com
Nested group support is enabled by default on the Directory Server. To support
nested groups without the performance hit, the Directory Server uses a group
cache, which is also enabled by default. The cache supports static group nesting that includes
other static, virtual static, and dynamic groups. The Directory Server provides a
new monitoring entry for the group cache, cn=Group Cache,cn=Monitor
.
In practice, nested groups are not commonly used for several reasons. LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them. Supporting nested groups in LDAP clients is not trivial, and many directory server-enabled applications that can interact with groups do not provide any support for nesting. If nesting support is not needed in your environment, or if nesting support is only required for clients but is not needed for server-side evaluation (such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server may need to make a membership determination), then this support should be disabled.