The PingDirectory Server supports nested groups, where the DN of an entry that defines a group is included as a member in the parent entry. For example, the following example shows a nested static group (e.g., cn=Engineering Group) that has uniquemember attributes consisting of other groups, such as cn=Developers Group and the cn=QA Group respectively.
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com         
objectclass: top
objectclass: groupOfUniqueNames         
cn: Engineering Group  
uniquemember: cn=Developers,ou=Groups,dc=example,dc=com         
uniquemember: cn=QA,ou=Groups,dc=example,dc=com

Nested group support is enabled by default on the Directory Server. To support nested groups without the performance hit, the Directory Server uses a group cache, which is also enabled by default. The cache supports static group nesting that includes other static, virtual static, and dynamic groups. The Directory Server provides a new monitoring entry for the group cache, cn=Group Cache,cn=Monitor.

In practice, nested groups are not commonly used for several reasons. LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them. Supporting nested groups in LDAP clients is not trivial, and many directory server-enabled applications that can interact with groups do not provide any support for nesting. If nesting support is not needed in your environment, or if nesting support is only required for clients but is not needed for server-side evaluation (such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server may need to make a membership determination), then this support should be disabled.