Minor Some LDAP setups define groups of users using the groupOfURLs object class to dynamically define the list of members thanks to a ldap url stored in the memberURL attribute, for example:
dn: cn=group1,ou=groups,dc=example,dc=org
objectClass: top
objectClass: groupofuniquenames
objectClass: groupofurls
cn: group1
memberURL: ldap:///ou=people,dc=example,dc=org??sub?(&(!(employeenumber=00000000))(sn=A*)(objectclass=person))
uniqueMember: uid=user1,ou=people,dc=example,dc=org
uniqueMember: uid=user2,ou=people,dc=example,dc=org
...
In this example, some members are defined statically (uniqueMember attributes) and others are defined dynamically thanks to the memberURL attribute. From the nuxeo app point of view, dynamic members should be merged with static members.
More details on the groupOfURLs / memberURL usage can be found here:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahydynamicgp.htm
Most LDAP server implementation do not resolve the dynamic groups server side, hence the necessity to implement such dynamic reference resolution on the nuxeo directory side. More details on the state of LDAP groups implementation can be found here:
