Allow Icingaweb2 login only for member of AD Group

Hi all,
we want to permit the login to icingaweb2 more. Every of our AD Users can login to Icingaweb2, but does not see anything, if he is not assigned to a role. Now we want to permit the login at all, if the user (or one of his groups) is not part of an AD Group. I created a group “Icinga2” where I added other groups which are anywhere in the AD tree. Sadly, it seems that the user backend of Icingaweb2 cannot handle this nested groups.
If I try to use the “user” backend and use the “LDAP Filter” matched on this group, Icinga tells me, that it cannot find any user. If I filter in the group backend for the Icinga2 CN, I still can login (without seeing any hosts).
The path of the valid user group is:

So only the Member of groups CN-A,B,C etc should be able to login to Icingaweb2. I don’t want to add all users itself to the Icinga2 CN, because there are already groups inside of the AD tree, which would match.
Can anybody tell me, how to solve this?

Thanks and cheers,


we also have a global Icinga2 group, if users are in that group, they are allowed to login.
Simple AD Tree:

– Icinga2 (allowed group to login)
— Some Group (member of Icinga2)
---- Allowed User (member of Some Group)

Try to set into the LDAP Filter an extended flag (for recursive search) e.g.

&(memberOf:1.2.840.113556.1.4.1941:=CN=Icinga2,<full distinguishedName here>)


1 Like