Authenticating Nested Groups in LDAP
Solution 1:
What application are you trying to configure.
There large majority of application that have some level of LDAP support as an LDAP client, simply have no support for nested groups.
Short of modifying the software, you may be out of luck.
If your LDAP server happens to be Microsoft Active Directory, then there is a non-standard search filter, that may help you.
See: - http://support.microsoft.com/kb/914828 - http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. Many applications using AD and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Previously, applications performed transitive group expansion to figure out group membership, which used too much network bandwidth; applications needed to make multiple roundtrips to figure out if an object fell "in the chain" if a link is traversed through to the end.