1. The following example shows how to set up a nested static group, which is a static group that contains uniquemember attributes whose values contain other groups (static, virtual static, or dynamic). Open a text editor, and then create a group entry in LDIF. Make sure to include the groupOfUniquenames object class and uniquemember attributes. If you did not have ou=groups set up in your server, then you can add it in the same file. When done, save the file as nested-group.ldif. Assume that the static groups, cn=Developers Group and cn=QA Group, have been configured.
    dn: ou=groups,dc=example,dc=com    
    objectclass: top    
    objectclass: organizationalunit    
    ou: groups  
    dn: cn=Engineering Group,ou=groups,dc=example,dc=com    
    objectclass: top
    objectclass: groupOfUniqueNames    
    cn: Engineering Group  
    uniquemember: cn=Developers,ou=groups,dc=example,dc=com    
    uniquemember: cn=QA,ou=groups,dc=example,dc=com
  2. Use ldapmodify to add the group entry.
    $ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
  3. Verify the configuration by using the isMemberOf virtual attribute that checks the group membership for an entry. By default, the virtual attribute is enabled. Use ldapsearch to specifically search the isMemberOf virtual attribute to determine if uid=user.14 is a member of the cn=Development group. In this example, assume that the administrator has the privilege to view operational attributes.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf  
    dn: uid=user.14,ou=People,dc=example,dc=com    
    isMemberOf: cn=Development,ou=groups,dc=example,dc=com    
  4. Typically, you would want to use the group as a target in access control instructions. Open a text editor, create an ACI in LDIF, and save the file as eng-group-aci.ldif.
    dn: ou=People,dc=example,dc=com           
    changetype: modify           
    add: aci              
    aci: (target ="ldap:///ou=People,dc=example,dc=com")  
      (targetattr != "cn || sn || uid")             
      (targetfilter ="(ou=Engineering Group)")
      (version 3.0; acl "Engineering Group Permissions"; 
        allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
  5. Add the file using the ldapmodify tool.
    $ bin/ldapmodify --filename eng-group-aci.ldif
    Note: When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support "nesting" by including the members of another group with a filter in the member URL. For example, if you have two groups cn=dynamic1 and cn=dynamic2, you can nest one group in another by specifying it in the member URL as follows:
    objectClass: top
    objectClass: groupOfURLs
    memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)
    The members included from the other group using this method are not considered "nested" members and will be returned even when using isDirectMemberOf when retrieving the members.