The nesting of groups enables the creation of hierarchical relationships that can be used to define inherited group membership. A nested group is defined as a child group entry whose DN is referenced by an attribute contained within a parent group entry. A parent group is created by extending one of the structural group object classes (groupOfNames, groupOfUniqueNames, accessGroup, accessRole, or groupOfURLs) with the addition of the ibm-nestedGroup auxiliary object class. After nested group extension, zero or more ibm-memberGroup attributes can be added, with their values set to the DNs of nested child groups. For example:
dn: cn=Group 2, cn=Groups, o=IBM, c=US objectclass: groupOfNames objectclass: ibm-nestedGroup objectclass: top cn: Group 2 description: Group composed of static, and nested members. member: cn=Person 2.1, cn=Dept 2, cn=Employees, o=IBM, c=US member: cn=Person 2.2, cn=Dept 2, cn=Employees, o=IBM, c=US ibm-memberGroup: cn=Group 8, cn=Nested Static, cn=Groups, o=IBM, c=US
The introduction of cycles into the nested group hierarchy is not allowed. If it is determined that a nested group operation results in a cyclical reference, either directly or through inheritance, it is considered a constraint violation and therefore, the update to the entry fails.