Active Directory LDAP authentication - help with nested groups

Hey all,

I’ve setup LDAP authentication to my AD, which is working correctly. I created two groups: “Grafana-Admins” and “Grafana-Editors”. When I add users directly to these groups, it works. But if I add another group as a nested member to these groups, it does not. I read the documentation on this issue but honestly it just made me more confused, and every group search filter I try to set up does not work.

This is my current ldap.toml:

host = "my-dc-1 my-dc-2"
port = 3269
use_ssl = true
start_tls = false
ssl_skip_verify = true

# Search user bind dn
bind_dn = "CORP\\%s"

search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=corp,dc=mydc,dc=com"]

group_search_filter = "(member:1.2.840.113556.1.4.1941:=cn=%s,ou=Outsourcing,ou=Domain Users,ou=mydomain)"
group_search_filter_user_attribute = "cn"

name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

group_dn = "cn=Grafana-Admins,ou=Domain Groups,ou=mydomain,dc=corp,dc=mydc,dc=com"
org_role = "Admin"

group_dn = "cn=Grafana-Editors,ou=Domain Groups,ou=mydomain,dc=corp,dc=mydc,dc=com"
org_role = "Editor"

Can anyone give me an example of a group search filter which will work correctly and identify all groups, including nested ones? Or tell me what’s wrong with my current one?

Hey. Have you read this?