I have a problem configuring my server to authenticate users that are members of a nested AD group. I have a 'group1' that includes 'group2' with the user account I'm trying to authenticate.
When configured as on the example below users that are members of 'group1' are authenticated successfully but members of a nested AD group 'group2' are not.
Code: Select all
<Authorization>
# Base DN
BaseDN "OU=Users,DC=example,DC=com"
# User Search Filter
SearchFilter "(sAMAccountName=%u)"
# Require Group Membership
RequireGroup true
<Group>
BaseDN "OU=Security Groups,DC=example,DC=com"
SearchFilter "(cn=group1)"
MemberAttribute Member
</Group>
</Authorization>
Based on this https://msdn.microsoft.com/en-us/librar ... s.85).aspx article SearchFilter can be configured to perform recursive query that 'walks the chain of ancestry in objects' until it finds the user. However, when I configure the SearchFilter like that authentication fails completely and the server logs "TLS Auth Error: Auth Username/Password verification failed for peer" event.
Code: Select all
SearchFilter (&(objectClass=*)(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=CN=group1,OU=Security Groups,DC=example,DC=com))