If creating PATCH add this to the patch install instructions:
Once the patch has been installed, please run the following ssoadm commands to add the new recursive group search attributes to the service configuration for AD and ADAM:
ssoadm add-attrs -s sunIdentityRepositoryService -t Organization -F RecursiveGroupSearchAttribute.xml -c LDAPv3ForAD -u amadmin -f pass.txt
ssoadm add-attrs -s sunIdentityRepositoryService -t Organization -F RecursiveGroupSearchAttribute.xml -c LDAPv3ForADAM -u amadmin -f pass.txt
When resolving the group memberships with Active Directory as a Data Store only the groups that a user is a direct member of are resolved. Active Directory has support for resolving nested groups by specifying a special extensible match filter.
It would be handy if OpenAM had the option to enable resolving nested groups for AD.
For example, currently if looking up group memberships via the unique member attribute, it uses the following as the filter
Simply changing this to:
Will ask AD to do a recursive lookup of groups.