Instead of using the OneLevelUp/Leaf method of searching nested groups is there any reason to not use something like:
(distinguishedName=%{memberOf:1.2.840.113556.1.4.1941:})
for the Groups query? This seems to return all the nested groups in Active Directory.
The resource I used to find this was: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx
Thanks,
Eric
Edit: This doesn't actually work, I had the query wrong and was allowing access to all groups. It does work if you modify the auth query, but then it's very ackward, i.e.:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=NestedGroup...))
If there's a way of retrieving nested memberOf attributes from Active Directory that would be ideal.