LDAP objectclass/attribute pairings for nested groups

Nested groups will not be enumerated unless you specifically configure WebSphere Application Server (WAS) to enumerate them. Do not take the choice to configure WAS to enumerate nested groups lightly because using nested groups in applications can cause those applications to exact heavy loads on the configured LDAP server in order to resolve nested group expansion. When deciding whether to configure WebSphere Application Server to use nested groups, consider the following factors:

• You should have a basic understanding of the depth and breadth (numbers and layers of nested groups) existing in your LDAP directory so you can estimate the performance impact that queries that expand nested groups will have on your configured LDAP server.
• Verify that the LDAP directory has been deployed using Nested groups.
  Note: In some cases, such as IBM Security Directory Server, the LDAP administrator had to have created nested groups with specific Nested Group Objectclasses. Refer to the IBM Security Directory Server documentation for more information.
• The attribute pairings listed in Table 1 are the standard defaults for particular LDAP Directories. As always, consult your LDAP documentation and LDAP administrator to ensure that your deployed LDAP uses those defaults before configuring WebSphere Application Server.

The group member attribute indicates the groups an entry belongs to. It can take multiple values and uses distinguished name syntax. Group membership is determined by enumerating through all member attributes for a particular group entry. In addition:

• Attributes differ depending on each LDAP service provider
• If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well
• Nested groups require an operational attribute to enable Connections to utilize the efficient manner that LDAP providers use to enumerate group membership.