LDAP dynamic and nested groups

LDAP dyanmic and nested groups

Dynamic groups have membership criteria, which means we do not have to manually maintain members on a static group object. The group membership information correlates to the information on the user object. Ideally, dynamic groups do not require a large amount of information from the directory to find out if someone is a member of a group.
Nested groups enable the creation of hierarchical relationships used to define inherited group membership. A nested group is defined as a child group entry whose distinguished name (DN) is referenced by a parent group entry attribute.
We only need to assign a larger parent group if all nested groups share the same privilege. Assigning a role to a single parent group simplifies the run-time authorization table.

IBM Tivoli Directory Server

WebSphere Application Server supports all LDAP dynamic and nested groups when using IBM Security Directory Server. This function is enabled by default. IBM Tivoli Directory Server uses the ibm-allGroups forward-reference group attribute that automatically calculates all the group memberships including dynamic and recursive memberships for a user. Security directly locates a user group membership from a user object rather than indirectly search all the groups to match group members.

SunONE or iPlanet Directory Server

The SunONE or iPlanet Directory Server uses two grouping mechanisms:

Groups Entries that name other entries as a list of members or as a filter for members.
Roles Entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.

Three types of roles are available:

Filtered roles Depends upon the attributes contained in each entry. Entries are members, if they match a specified LDAP filter. This role is equivalent to a dynamic group.
Nested roles Creates roles containing other roles. This role is equivalent to a nested group.
Managed roles Explicitly assigns a role to member entries. This role is equivalent to a static group.

Related tasks

Dynamic and Nested groups - IBM Security Directory Server
Dynamic and Nested groups - SunONE or iPlanet Directory Server
Locate user group memberships in a LDAP registry
LDAP directory servers

Groups	Entries that name other entries as a list of members or as a filter for members.
Roles	Entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.

Filtered roles	Depends upon the attributes contained in each entry. Entries are members, if they match a specified LDAP filter. This role is equivalent to a dynamic group.
Nested roles	Creates roles containing other roles. This role is equivalent to a nested group.
Managed roles	Explicitly assigns a role to member entries. This role is equivalent to a static group.