memberOf Nested Groups

Jesse Martinich martinicj at
Thu May 14 18:28:29 UTC 2020

We use eDirectory (with NetIQ Identity Manager) and have this working.

I can share the script we use to keep groups in check if you're interested.


*Jesse Martinich*
Information Security Officer
Infrastructure Services Manager
Southern Oregon University | 1250 Siskiyou Blvd | Ashland OR  97520

On Thu, May 14, 2020 at 11:05 AM Joseph Fischetti <
Joseph.Fischetti at> wrote:

> > Is there a way to obtain memberOf for nested groups memberships?
> I do believe this is a function of your ldap server.
> If you can query your ldap server for a particular user and their
> 'memberOf' attribute contains groups that they're only indirect members of,
> then Shibboleth will see it the same way.
> IBM TDS, as an example, requires that you use the non-standard
> 'ibm-allgroups' attribute instead of 'memberOf' for getting information
> like this.  The grouping structure is also non-standard.  Groups that are
> members of other groups must be listed as "ibm-membergroup" instead of
> "member".  At least that's what I've found.
> I do believe OpenLDAP is more straightforward and intuitive than that, if
> that's what you're using.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list