Cool Solutions

Nested Groups support in eDirectory 8.8 SP2


October 28, 2007 11:32 am





In my last blog, I talked about the performance improvements in eDirectory 8.8 SP2. I am going to talk about a couple of new features this time.

Configurable LDAP interfaces

A multi-valued string attribute is added to the LDAP server object. This attribute is used to store LDAP URLs on which LDAP server listens (on both cleartext and secure ports). This attribute is useful in configuring multiple instances, that requires each instance of the eDirectory server to listen on a specific interface. The attribute can be configured with the IP addresses and port numbers in the LDAP URL format. The LDAP server listens on these IP addresses and ports.


The default value of ldapInterfaces attribute is ldap://:389 and ldaps://:636 This means, LDAP server listens on default ports on all the IP addresses configured in the machine.

Nested Groups

There have been multiple requests in the past to provide Nested Group support in eDirectory. We are there finally. eDirectory 8.8 SP2 comes with an experimental support for nested groups where groups can be member of another groups and rights can be assigned in a more organized way. I call it as experimental because the current implementation comes with its own limited support, such as:

  • Nested relationships do not span beyond the local server; the objects, users, and groups involved need to be locally present on the server.
  • No duplicate elimination is done in membership listing.
  • Nesting of dynamic groups is not supported.
  • Nested ACLs as well as the nesting semantics are not supported on older eDirectory servers (version 8.8 SP1 and earlier).Group nesting is possible only within the local server
  • Nested groups can be managed only through LDAP tools today. iManager plug-ins are awaited.

An existing static group can be promoted to a nested group by associating the nestedGroupAux auxiliary class. This auxiliary class should be present on both the containing group (groups that exhibit nested property) and the contained group (groups those are member of another group).

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Uncategorized


Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.


  1. By:Geoffrey Carman

    So how are ACL’s calculated for a nested group?

    The arguement against them in eDir with dynamic rights, has always been (to my mind, anyway) if you nest a group within a group, security equivalence calculation ends in a loop. I.e. A is equal to B and B is equal to A, and around we go, again and again.

    How do you handle that in 8.8SP2. I realize you handle it different than the default model, so I am curious to how you handle this specail case!

    And on the topic of LDAP interfaces, I wrote this in the summer on the topic:

  2. By:Marcus

    Will this work on Netware as well? Or will it be like the multiple instances of eDirectory that we were promised, but ONLY works on Linux?

  3. By:G Gireeshkumar

    The configurable LDAP Interfaces is not supported on Netware. It is supported only on AIX,HP-UX,Linux and Solaris platforms.

    Here’s a recent write-up about this feature.