LDAP via BindDN - Active Directory nested groups

Hello everyone,

I set up my authentication source using LDAP via BindDN and I am stuck with the user filter.

Does Gitea is able to manage Active Directory nested group ?

Context: in my company, we usually use nested groups to give permissions to our different teams.
For example: our dev users are member of g_dev, which is member of dl_gitea which is allowed to connect.
In my user filter, I should have this :
(&(objectCategory=Person)(memberOf=CN=dl_gitea,OU=groups,OU=company,DC=example,DC=com)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

But, when user1 wants to login, it fails and shows this :
routers/user/auth.go:177:SignInPost() [I] Failed authentication attempt for user1 from a.b.c.d : user does not exist [uid: 0, name: user1, keyid: 0]

It only works if we directly put the g_dev group in the user filter.

Any idea or suggestion ?

Thanks in advance and stay safe !

I guess you need to use OID 1.2.840.113556.1.4.1941 which specifies LDAP_MATCHING_RULE_IN_CHAIN. So instead of

memberOf=CN=dl_gitea,OU=groups,OU=company,DC=example,DC=com

try using

memberOf:1.2.840.113556.1.4.1941:=CN=dl_gitea,OU=groups,OU=company,DC=example,DC=com

See https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax for more details

Even though this is quite an old topic, I guess this still has some relevance for users hitting here via search. Therefore I added an answer.