A group is an entry that identifies the other entries that are in a group. Static and dynamic groups are supported. The group mechanism makes it easy to retrieve a list of entries that are members of a given group.
Static groups specify the DN of each member of the group. Static groups use one of the following object class and attribute pairs:
The groupOfNames object class, with a multivalued member attribute
The groupOfUniqueNames object class, with a multivalued uniqueMember attribute
The member attribute and uniqueMember attribute contain the DN for every entry that is a member of the group. The uniqueMember attribute value for the DN is optionally followed by a hash, #, and a unique identifier label to guarantee uniqueness.
Dynamic groups specify one or more URL search filters. All entries that match the URL search filters are members of the group. Membership of a dynamic group is defined each time the filters are evaluated. Dynamic groups use one of the following object class and attribute pairs:
The groupOfURLs object class, with the memberURL attribute
The groupOfUniqueNames object class, with the uniqueMember attribute
The memberURL attribute and the uniqueMember attribute specify one or more one or more URL search filters.
Static groups can be nested by specifying the DN of another group as a value for the member attribute or uniqueMember attribute.
The depth to which nested groups are supported by ACIs is controlled by the nsslapd-groupevalnestlevel configuration parameter.
Nested groups are not the most efficient grouping mechanism. Dynamic nested groups incur an even greater performance cost. To avoid these performance problems, use roles instead.
Directory Server also supports mixed groups, that is groups that reference individual entries, static groups, and dynamic groups.