How to handle nested groups in LDAP

Solution 1:

Sounds like you could go with groupOfNames - that object contains a collection of LDAP Distinguished Names, so it can hold users and other groups without a problem. The caveat is unwinding the membership tree (and ensuring there are no cycles in it, or handling cycles gracefully) is the responsibility of your software.

I've never done the forward references thing myself (I prefer the "Group has these Members" approach above rather than "Member is in these Groups" - my brain has an easier time with it), but my group structures are typically discrete, non-nested memberships so there may be advantages I'm overlooking.

Solution 2:

OpenLDAP can use nested groups in access control rules, explained in detail here: http://www.openldap.org/faq/data/cache/1133.html

Nested groups can also be used for linux logins when set up using the directions in this answer: dn-based linux groups from ldap

Whether other applications make use of nested groups is up to them. I know that Samba does, while Openfire does not. I've also created a set of PHP classes to allow our intranet applications to use nested groups. It wasn't exactly hard, it just took a little time.