Nested LDAP groups are widely used in big organizations especially with Active Directory. Microsoft's AGDLP recommendations rely on nested groups.
Currently, the LdapUserGroupProvider retrieves users and groups separately. Group memberships are inferred using 'Group Member Attribute' or 'User Group Name Attribute'. It is also possible to construct users and groups relying only on the groups and users entries respectively, this is done in case only one of the "User Search Base" or "Group Search Base" is specified.
Microsoft AD (and others such asRed Hat/389 DS) provides support for nested groups retrieval using special filters such as the LDAP_MATCHING_RULE_IN_CHAIN filter_._ With the current implementation, it is not possible to use this filter since it relies on the user's DN being part of the LDAP search filter which would require querying the LDAP server per user.
Handling LDAP nested groups would provide much flexibility to organization using Nifi and it would allow compliance with the AGDLP recommandations which is not currently possible.