I ran into an AD configuration where users are in several subdomains (say NA.EXAMPLE.COM and SA.EXAMPLE.COM). However most of the groups to which a user belongs to that we care about are in one subdomain (NA.EXAMPLE.COM). I was able to get users from multiple subdomains using CompositeGroupsMapping and creating separate LDAPGroupsMapping for each subdomain. However, I am only getting groups belonging to the same subdomain to which that user belongs to. Has anyone run into similar AD issues and how did you get around these?
Overall LDAPGroupsMapping uses user input to get UserDN and then queries all the groups in the domain to see if there is a UserDN in 'member' field. We are able to get all the Groups directly from 'User' using 'memberOf'. So, worst case if nothing can be done using configuration, I was thinking of overriding doGetGroups in LDAPGroupsMaping with logic to get memberOf attributes.