Prior to R75.40, LDAP nested groups were not supported. LDAP users were matched to LDAP groups that they explicitly belonged to. For example:
User John belongs to group Org_IT and the group Org_IT belongs to the group Org_ALL.
John's implicit membership in Org_ALL will be disregarded by the Identity Server.
Starting in R75.40, there is a full support for LDAP nested groups.
- In R75.40, the feature is disabled by default.
- Starting from R76 the feature is enabled by default.
Once enabled, the default depth is 20. This feature can be manipulated using this CLI command:
[Expert@GW_HostName]# pdp nested_groups
- enable - Enables the nested groups feature.
- disable - Disables the nested groups feature.
- depth - Sets a new depth. Minimum is 1 and maximum is 40.
- status - Display the current status of nested groups, enabled/disabled + the current depth.
- show - Displays a list of users for groups that were not fetched due to depth settings.
For example, if the depth is set to 3 and a user belongs to 5 groups (nested), group information will be retrieved only until depth 3. Other groups will be disregarded
- clear - Clears the list of users belonging to groups that were not fetched due to depth settings. For example, if the depth is set to 3 and a user belongs to 5 groups (nested), the list of users in group 4 and 5 will be cleared.
This solution is about products that are no longer supported and it will not be updated