Controlling LDAP Nested groups configuration in Identity Awareness
Prior to R75.40, LDAP nested groups were not supported. LDAP users were matched to LDAP groups that they explicitly belonged to. For example:
User John belongs to group Org_IT and the group Org_IT belongs to the group Org_ALL.
John's implicit membership in Org_ALL will be disregarded by the Identity Server.
Starting in R75.40, there is a full support for LDAP nested groups.
- In R75.40, the feature is disabled by default.
- Starting from R76 the feature is enabled by default.
Once enabled, the default depth is 20. This feature can be manipulated using this CLI command:
[Expert@GW_HostName]# pdp nested_groups
- enable - Enables the nested groups feature.
- disable - Disables the nested groups feature.
- depth - Sets a new depth. Minimum is 1 and maximum is 40.
- status - Display the current status of nested groups, enabled/disabled + the current depth.
- show - Displays a list of users for groups that were not fetched due to depth settings.
For example, if the depth is set to 3 and a user belongs to 5 groups (nested), group information will be retrieved only until depth 3. Other groups will be disregarded
- clear - Clears the list of users belonging to groups that were not fetched due to depth settings. For example, if the depth is set to 3 and a user belongs to 5 groups (nested), the list of users in group 4 and 5 will be cleared.