There are two locations where you may need to filter groups.
- allow only a selection of AD users to login on Icingaweb2. This is via LDAP filter in the user backend
I guess some thing like:
"(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=icingaweb2,OU=Permission,OU=Groups,DC=example,DC=com))"could work as it resolves also the ones in subgroups. I use Apache Directory Studio to figure such stuff out. - in the Icingaweb2 roles, you need to define the groups and users that get the role. The group field in the roles is why there also exists a group backend
I would also advice you to have a strategy in place to sync the Icinga2 contact groups to the Icingaweb2 roles. If you ignore this, people maybe get alerts but can’t login or don’t have the right roles to view the host and/or services that generated the alerts.
The is no need to import users or groups
I also import the users into Icinga2 via director.
I work with AD groups for Icingaweb2 roles and use the same AD groups to build the contact groups in the Icinga2 config.
The goal is that all recipients of alerts can also open the links in the alerts that point to Icingaweb2