memberOf Nested Groups

Joseph Fischetti Joseph.Fischetti at
Thu May 14 18:05:05 UTC 2020

> Is there a way to obtain memberOf for nested groups memberships?

I do believe this is a function of your ldap server.

If you can query your ldap server for a particular user and their 'memberOf' attribute contains groups that they're only indirect members of, then Shibboleth will see it the same way.

IBM TDS, as an example, requires that you use the non-standard 'ibm-allgroups' attribute instead of 'memberOf' for getting information like this.  The grouping structure is also non-standard.  Groups that are members of other groups must be listed as "ibm-membergroup" instead of "member".  At least that's what I've found.  

I do believe OpenLDAP is more straightforward and intuitive than that, if that's what you're using.

More information about the users mailing list