cn=Engineering Group) that has
uniquememberattributes consisting of other groups, such as
cn=Developers Groupand the
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=Groups,dc=example,dc=com uniquemember: cn=QA,ou=Groups,dc=example,dc=com
Nested group support is enabled by default on the Directory Server. To support
nested groups without the performance hit, the Directory Server uses a group
cache, which is also enabled by default. The cache supports static group nesting that
includes other static, virtual static, and dynamic groups. The Directory Server
provides a new monitoring entry for the group cache,
In practice, nested groups are not commonly used for several reasons. LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them. Supporting nested groups in LDAP clients is not trivial, and many directory server-enabled applications that can interact with groups do not provide any support for nesting. If nesting support is not needed in your environment, or if nesting support is only required for clients but is not needed for server-side evaluation (such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server may need to make a membership determination), then this support should be disabled.
To create nested static groups:
The following example shows how to set up a nested static group, which is a static
group that contains
uniquememberattributes whose values contain other groups (static, virtual static, or dynamic). Open a text editor, and then create a group entry in LDIF. Make sure to include the
groupOfUniquenamesobject class and
uniquememberattributes. If you did not have
ou=groupsset up in your server, then you can add it in the same file. When done, save the file as nested-group.ldif. Assume that the static groups,
cn=QA Group, have been configured.
dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Engineering Group,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=groups,dc=example,dc=com uniquemember: cn=QA,ou=groups,dc=example,dc=com
Use ldapmodify to add the group entry.
$ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
Verify the configuration by using the
isMemberOfvirtual attribute that checks the group membership for an entry. By default, the virtual attribute is enabled. Use ldapsearch to specifically search the
isMemberOfvirtual attribute to determine if
uid=user.14is a member of the
cn=Developmentgroup. In this example, assume that the administrator has the privilege to view operational attributes.
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf dn: uid=user.14,ou=People,dc=example,dc=com isMemberOf: cn=Development,ou=groups,dc=example,dc=com
Typically, you would want to use the group as a target in access control instructions.
Open a text editor, create an ACI in LDIF, and save the file as
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Engineering Group)") (version 3.0; acl "Engineering Group Permissions"; allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
Add the file using the ldapmodify tool.
$ bin/ldapmodify --filename eng-group-aci.ldifNote: When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support "nesting" by including the members of another group with a filter in the member URL. For example, if you have two groups
cn=dynamic2, you can nest one group in another by specifying it in the member URL as follows:
cn=dynamic1,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)The members included from the other group using this method are not considered "nested" members and will be returned even when using
isDirectMemberOfwhen retrieving the members.