https://bugs.openldap.org/show_bug.cgi?id=9402
--- Comment #6 from Vincent Danjean vdanjean.ml@free.fr --- (In reply to Howard Chu from comment #5)
OpenLDAP 2.5 already supports nested groups using the dynlist overlay. Closing this ITS.
dynlist seems indeed a great feature. I would say that it seems to lack a bit of documentation/examples, but, from what I read, it allows one to do powerfull things. With respect to nested groups, it is possible that, for reader LDAP client (ie most applications using ldap for authentication), dynlist (and autogroup) would be a good solution (I'm not sure that it will work with dynlist object refering to other dynlist as the slapo-dynlist(5) manpage says "No recursion is allowed, to avoid potential infinite loops." I will need to do tests). However, using this feature requires writer LDAP clients (at least fusiondirectory in my case) to support this new feature (new attribute to handle, different way to create groups, etc.) So less software to patch, but still software to patch to support nested groups.
My point is just to say that dynlist/autogroup overlay and my initial request are not the same things. That said, if dynlist allows one to create recursive nested groups, I fully understand that you do not want to support an alternative (that would probably be less efficient).
But, for my use case, as fusiondirectory does not (yet) support dynlist (it should in the next version), I will write scripts that duplicate nested groups in another ldap branch by flatening them, so that reader LDAP client that do not support nested groups can be told to look into this alternative hierarchy.
Many thanks for your feedback and the pointers to dynlist/autogroup. I will look at them with attention.