Yes, you can have LDAP configured at global and domain level. Did you give fully qualified name of GROUP/OU while linking?
Easiest way to debug is to run the ldap query manually and see if it returns any results ldapsearch -x -h hostname -p port "basedn" -s sub -D "username" -w password "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))" Also check that `ldap.provider` is set to correct value and there are direct users in the group. Nested groups will only work with MicrosoftAD provider and with configuration `ldap.nested.groups.enable` set to true. There is a demo of the feature at https://youtu.be/GI9b9MiOQkw?t=4m10s Thanks, ~ Rajani http://cloudplatform.accelerite.com/ On October 12, 2016 at 6:23 AM, Marty Godsey (ma...@gonsource.com) wrote: Hello, I have an ACS 4.9 instance that runs well with no issues. I have enabled LDAP authentication at the Global Level and this works without issue. The question I have is the "Link Domain to LDAP" function at the domain level. I have a domain that I want to auto sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I configured with the DN of the group I am wanting to populate from (I also attempted this with the OU setting as well) and the user that was created cannot authenticate nor are any of the test accounts in Active Directory being created in ACS. I have LDAP configured globally and I also, as a test made the user part of the group I indicated for "LDAP Accounts" and the user shows up, but the "Link Domain to LDAP" does not seem to work. I tried looking in the logs and did not see any error or attempts to query Active Directory. Is this a broken function? Can you have both globally set LDAP settings and "Link Domain to LDAP" settings? Regards, Marty Godsey
