We have a pretty large company that has users created in different domains and user groups in a single domain. When we attempt to do user grouping, if the users base dn doesn't match the group dn, the group won't match to the user. We try to manage access all via a single (largely nested) group.

What I observe:

User 1: CN=UserName1,OU=Users,OU=SomePlace,dc=foo,DC=company,DC=com
User 2: CN=UserName2,OU=Users,OU=SomeOtherPlace,dc=bar,DC=company,DC=com

Group 1: CN=MyBigGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com
Group 2: CN=MyNestedGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com

User 1 and User 2 are a members of "MyNestedGroup". 

Here is my ldap config:

Server: ldap://server.company.com:3268
Root DN: DC=company,DC=com
User Search Base: <empty>
User Search Filter: sAMAccountName={0}
Group Search Base: <empty>
Group Search Filter: (&(cn={0})(objectclass=group))
Group Membership: (Search for LDAP groups containing user)
Group Membership Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))

When I search for "UserName1" it matches to MyNestedGroup and MyBigGroup, when I search for "UserName2" it doesn't match to any groups.

Am I doing something wrong with my queries/filters or is this a bug in the ldap-plugin?

*Note, when I do "Parse user attribute for list of LDAP groups" instead, I see "MyNestedGgroup" for both users (no matches to MyBigGroup, which is expected as not reverse lookup appears to be done here)

When I run the script console with the following, I see that everything has the right members:

println(Jenkins.instance.securityRealm.loadGroupByGroupname('MyBigGroup', true).getMembers())
println(Jenkins.instance.securityRealm.loadGroupByGroupname("MyNestedGroup", true).getMembers())
-------------------------
[MyNestedGroup]
[User1, User2]