PingDirectory Server supports nested groups where the distinguished name (DN) of an entry that defines a group is included as a member in the parent entry.
The following example shows a nested static group, such as cn=Engineering
Group
, that has uniquemember
attributes consisting of other
groups, such as cn=Developers Group
and the cn=QA Group
respectively.
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Engineering Group
uniquemember: cn=Developers,ou=Groups,dc=example,dc=com
uniquemember: cn=QA,ou=Groups,dc=example,dc=com
By default, nested group support is enabled on the Directory Server.
The Directory Server uses a group cache to support nested groups without the
performance hit. The cache supports static group nesting that includes other static, virtual
static, and dynamic groups. The Directory Server provides a new monitoring
entry for the group cache, cn=Group Cache,cn=Monitor
.
In practice, nested groups are not commonly used for the following reasons:
- LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them.
- Supporting nested groups in LDAP clients is not trivial, and many directory server-enabled applications that can interact with groups do not provide any support for nesting.
Disable this support if:
- Nesting support is not needed in your environment.
- Nesting support is only required for clients but is not needed for server-side evaluation, such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server might need to make a membership determination.
To create nested static groups: