Nested groups in LDAP occur when one group is a member of another group, such as when a group “Senior Developers” is a subset of the “Developers” group. If your LDAP server isn’t configured to support nested group queries, this can cause issues with user authentication in Matomo.

Configuring your LDAP server to support nested groups.
Matomo supports an operator called LDAP_MATCHING_RULE_IN_CHAIN which can traverse nested group relationships in LDAP, allowing Matomo to authenticate users who belong to a nested group. It’s used by adding the string :1.2.840.113556.1.4.1941: to your query filter.

To resolve nested group issues in Matomo:
1. Login as a superuser.
2. Click the cog icon Settings within the top menu to go to the Matomo settings page.
3. Navigate to the Settings > LDAP page.
4. Update your Ldap member of field under “LDAP Settings” as below and press save.

5. Add required group and press test to verify if it returns the count as expected

Note: For the above solution to work your LDAP server should support LDAP_MATCHING_RULE_IN_CHAIN option, which is primarily available for Microsoft Active Directory servers only.

Previous FAQ: How do I fix the issue with X509 certificate not being included in the SAMLRequest?