--On Thursday, July 26, 2012 06:43:13 PM +0800 Qian Zhang zhq527725@gmail.com wrote:

Hi,

I'd like to know in OpenLDAP 2.4, if I create a group (objectClass is posixGroup), is it possible that I create another group as the member of this group? Or I have to do this with group which has groupOfNames as its objectClass?

It really is not a question of whether or not it is possible to create nested structures in LDAP. It definitely is possible to create entries that contain pointers to other entries. The questions is will the applications that access those entries traverse the linked entries. In the case of posixGroups, the software that I am familiar with is written with the assumption that all of the members of a group are present in the memberUID values in the entry.

One thing to keep in mind if you do create a nested structure for your application is that it will be expense to determine if a individual is a member of a group. To determine if an individual is a member of a group can require that the group be at least partially exploded using multiple searches, and to make sure that an individual is not a member of a group will require that the group be completely exploded.

Bill