From 8fa80874a6d7c83cc0bea3c97992235d6a448936 Mon Sep 17 00:00:00 2001
From: Jan Zhanal <34436593+janzhanal@users.noreply.github.com>
Date: Thu, 26 Jan 2023 17:47:59 +0100
Subject: [PATCH] doc: LDAP/AD - nested groups (#16483)

---
 docs/sts/ldap.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md
index d10892be1..ac886c39d 100644
--- a/docs/sts/ldap.md
+++ b/docs/sts/ldap.md
@@ -104,6 +104,7 @@ The search filter must use the LDAP username to find the user DN. This is done v
 
 The returned user's DN and their password are then verified with the LDAP server. The user DN may also be associated with an [access policy](#managing-usergroup-access-policy).
 
+
 ### Group membership search
 
 MinIO can be optionally configured to find the groups of a user from AD/LDAP by specifying the folllowing variables:
@@ -117,6 +118,14 @@ The search filter must use the username or the DN to find the user's groups. Thi
 
 A group's DN may be associated with an [access policy](#managing-usergroup-access-policy).
 
+#### Nested groups usage in LDAP/AD
+If you are using Active directory with nested groups you have to add LDAP_MATCHING_RULE_IN_CHAIN: :1.2.840.113556.1.4.1941: to your query.
+For example:
+```shell
+group_search_filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%d))
+user_dn_search_filter: (&(memberOf:1.2.840.113556.1.4.1941:=CN=group,DC=dc,DC=net)(sAMAccountName=%s))
+```
+
 ### Sample settings
 
 Here are some (minimal) sample settings for development or experimentation: