Static, dynamic, and nested groups

The LDAP server supports group definitions. These group definitions allow for a collection of names to be easily associated for access control checking or in application-specific uses such as a mailing list. See Using access control for additional information about access control checking.

The LDAP server supports static, dynamic, and nested groups. It is possible to query static, dynamic, and nested group memberships with the use of the ibm-allMembers and ibm-allGroups operational attributes. For a given group entry, the ibm-allMembers attribute enumerates all of the members that belong in that group. For a given user entry, the ibm-allGroups attribute determines the groups that the user has membership in.

A search request specifying the ibm-allMembers or ibm-allGroups attribute returns group membership information for just the backend containing the base entry. Access checking is performed for the member and uniqueMember attributes when obtaining the group membership information. Additional access checking is performed on any of the attributes contained in a dynamic group URL search filter on the memberURL attribute. Access checking is not performed on the memberURL and ibm-memberGroup attributes themselves.