Yes, you can have LDAP configured at global and domain level.
Did you give fully qualified name of GROUP/OU while linking?
Easiest way to debug is to run the ldap query manually and see if
it returns any results
ldapsearch -x -h hostname -p port "basedn" -s sub -D "username"
Also check that `ldap.provider` is set to correct value and there
are direct users in the group.
Nested groups will only work with MicrosoftAD provider and with
configuration `ldap.nested.groups.enable` set to true.
There is a demo of the feature at
On October 12, 2016 at 6:23 AM, Marty Godsey
I have an ACS 4.9 instance that runs well with no issues. I have
enabled LDAP authentication at the Global Level and this works
without issue. The question I have is the "Link Domain to LDAP"
function at the domain level. I have a domain that I want to auto
sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that
I configured with the DN of the group I am wanting to populate
from (I also attempted this with the OU setting as well) and the
user that was created cannot authenticate nor are any of the test
accounts in Active Directory being created in ACS.
I have LDAP configured globally and I also, as a test made the
user part of the group I indicated for "LDAP Accounts" and the
user shows up, but the "Link Domain to LDAP" does not seem to
work. I tried looking in the logs and did not see any error or
attempts to query Active Directory.
Is this a broken function? Can you have both globally set LDAP
settings and "Link Domain to LDAP" settings?