dn: cn=outside-the-firewall,ou=external-network-groups,ou=policy1, ou=tdatrootP,dc=domain1,dc=com objectClass: groupOfNames cn: outside-the-firewall member: ou=external-network-groups,ou=policy1,ou=tdatrootP,dc=domain1, dc=com
The preceding example includes the definition of a member attribute, which points to the external network groups container, only because member is a required attribute of groupOfNames and it must have at least one value.
The network group container DN is not used in any searches, but it is recommended because use of the DN of the parent cannot result in a “group loop.”