NetOps Portal LDAP does not care about the hierarchy of groups.
LdapGroups processing does:
1) read the memberOf attribute on the user record provided by LDAP.
2) cycle the entries in LdapGroups XML, and if the entry matches an entry in memberOf, we use that userClone.
3) we don't know anything about the hierarchy of groups in SSO.
4) if you want sub-groups to be included to use the same userClone, you need to add entries to LdapGroups for each subgroup also. For example:
<LDAPGroups>
<Group searchTag="memberOf" searchString="CN=usr_grp,OU=MyLDAP,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="user"/>
<Group searchTag="memberOf" searchString="CN=pwr_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="power"/>
<Group searchTag="memberOf" searchString="CN=adm_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="admin"/>
</LDAPGroups>