LDAP group definitions may be used as role definitions within nested groups across LDAP servers.
LDAP servers allow groups to be members of other groups, including nested groups. The LDAP provider does not compute the group membership information recursively. Instead, nested group membership information is taken into consideration for role computation only if the LDAP server provides a user attribute that contains the complete list of group memberships, including static, dynamic, and nested group memberships. Unwired Platform implements a Java LDAP provider through a common security interface. LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass "groupofnames" or "groupofuniquenames," has an attribute listing all of the members of the group. Unwired Platform retrieves static group membership from the user attribute UserRoleMembershipAttributes.
For Active Directory server, the UserRoleMembershipAttributes property for the LDAP provider should be set to "tokenGroups" to enable it to retrieve the nested group membership information. For SunOne server, the UserRoleMembershipAttributes property for the LDAP provider should be set to "nsRole" instead of the default value "nsRoleDN" to enable it to retrieve the nested roles information. For additional information, see Skipping LDAP Role Lookups (SkipRoleLookup), and LDAP Configuration Properties.