Active directory nested groups with NetIQ Access Manager


Download AD Nested Groups user store plugin


Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic.
Nesting options depend on whether the domain functionality of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed.
By default, when you nest a group within another group, user rights are inherited. For example, if you make Group_1 a member of Group_2, users in Group_1 have the same permissions as the users in Group_2.

Setup Information

  1. Download plugin from this solution

  • Extract the zip file and copy the “com” folder to the Identity Server:

  • Copy it to the <NIDP>/WEB-INF/classes directory

    Windows Server 2008:
    \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes

  • To associate an LDAP Server plug-in with the Custom1, Custom2, or Custom3 directory type, modify the web.xml file on the Identity Server:

    4.1 In a text editor, open the web.xml file.

    Windows Server 2008:
    \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\web.xml

    4.2 Add an entry for the ladpStorePlugins context parameter. Your entry should look similar to the following to associate the com.netiq.custom.LDAPStorePluginActiveDirExt with the Custom1 directory type.


  • Restart IDP

    Enter one of the following commands:
    /etc/init.d/novell-idp restart
    rcnovell-idp restart
    Enter the following commands:
    net stop Tomcat7
    net start Tomcat7

  • Repeat above steps on each Identity Server in the cluster.

  • In the Administration Console, configure the Identity Server to use the new directory type for a user store.

    7.1 Click Access Manager > Identity Servers > Edit > Local.

    7.2 Either select the name of a user store or click New.

    7.3 For the Directory type, select the custom string you have configured above that is custom1

  • Complete one of the following:

    8.1 For a new user store, configure the other required values, then click Finish.

    8.2 For a modified user store, modify the other options to fit the new directory type, then click OK.

  • Update the Identity Server.

  • (Optional) To verify that the new directory type is functioning correctly, log in to the user portal by using the credentials of a user in the user store.

  • Refer to nested groups in policy creation or role creation. This is regular steps to be followed as per documentation how to created role or policy.



How To-Best Practice
Comment List
  • in reply to sma2006
    In fact there is no problem with the new NAM portal (/nidp), but with the Kerberos authentication that no longer works after changing AD user store configuration to "custom1".

    Any idea ?

  • Hello,

    I tried it with NetIQ NAM 4.2.1 and it almost work :

    Actually, the Role that filter on Nested Group membership in AD works, but changing the ADIR directory type to Custom1 breaks the NAM Portal (new feature in NAM 4.2)

    The NAM portal authentication works, but the Appmark are not showed.

    Do you have any idea of the problem ?