A nested group is defined as a group that references other group entries, which can be static, dynamic, or nested groups. The ibm-nestedGroup object class uses the multi-valued attribute called ibm-memberGroup to indicate the DNs of the groups that are referenced by the nested group. This object class and attribute are always in the LDAP server schema and cannot be modified. Nested groups allow LDAP administrators to construct and display group hierarchies that describe both direct and indirect group memberships. A group referenced within the nested group is ignored if it is not in the same backend as the nested group. The group hierarchy established by a nested group cannot loop back to itself. The LDBM or CDBM backend rejects an add or modify operation of a nested group entry if it results in a loop. To be compatible with TDBM in the Integrated Security Services LDAP server on previous releases, the TDBM backend allows such an add or modify operation of a nested group. When the nested group is expanded, such as in an ibm-allMembers search of the group, TDBM detects the loop and continues with the next part of the expansion.

A typical nested group entry is as follows:

dn: cn=ldap_team_nested,o=endicott
objectclass: container
objectclass: ibm-nestedGroup
cn: ldap_team_nested
ibm-memberGroup: cn=ldap_team_static,o=endicott
ibm-memberGroup: cn=ldap_team_dynamic,o=endicott
ibm-memberGroup: cn=ldaptest_team_nested,o=endicott