The LDAP provider computes the roles granted to an authenticated user using the role and group membership information from the LDAP repository. To support nested roles and groups, LDAP servers allow roles and groups to be members of other roles and groups respectively.
The LDAP provider retrieves role membership from the user attribute specified by UserRoleMembershipAttributes configuration property, and does not compute the role membership information recursively. Therefore any nested and dynamic roles are taken into consideration only if the LDAP server provides a user attribute that contains the complete list of role memberships, including static, dynamic, and nested role memberships. For example, in SunOne server, the UserRoleMembershipAttributes property for the LDAP provider should be set to "nsRole" instead of the default value "nsRoleDN" to enable it to retrieve the nested roles information.
Similarly LDAP group memberships are stored and checked on a group-by-group basis. Each defined group, typically of objectclass groupofnames or groupofuniquenames, has an attribute listing all of the members of the group. The LDAP provider does not support nested or dynamic groups (groups that are populated with objects found by doing an LDAP search rather than static members). For example, it does not recursively compute all the groups to which the user has membership. Therefore any nested and dynamic groups are taken into consideration only if the LDAP server provides a user attribute that contains the complete list of group memberships, including static, dynamic, and nested group memberships. For example, in Active Directory server, the UserRoleMembershipAttributes property for the LDAP provider should be set to "tokenGroups" to enable it to retrieve the nested group membership information.
For additional information, see Skipping LDAP Role Lookups (SkipRoleLookup), and LDAP Configuration Properties.