TMC-SM (Tanzu Mission Control Self-Managed) is configured with Pinniped and Active Directory (AD) federation.
User in a nested AD group (User-B) can authenticate but cannot view objects (e.g., clusters) created by another user (User-A).

Scenario Example

• User-A (Member of the group: tmc-admin)
• User-B (Member of the group: tmc-admin/nested-group)

Although both can log in, User-B cannot see User-A’s objects, indicating incorrect group mapping or authorization.

All TMC-SM versions

The default groupSearchFilter in Pinniped’s LDAP configuration does not search nested AD group membership.
As a result, nested-group users are not recognized as members of the parent group (e.g., tmc-admin), causing authorization or role-mapping failures.

Update ldap.groupSearchFilter to enable recursive group lookup.

1. Switch to the Kubernetes Context of the Workload Cluster

kubectl config use-context <WORKLOAD CLUSTER CONTEXT>

2. Export the values.yaml

kubectl -n tmc-local get secret tanzu-mission-control-tmc-local-values -ojsonpath='{.data.values\.yaml}' | base64 -d > values.yaml

3. Modify groupSearchFilter

  groupSearchFilter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))

Note: OID 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) enables recursive membership resolution, including nested groups.

4. Apply the updated values.yaml

tanzu package installed update tanzu-mission-control -p tmc.tanzu.vmware.com --version <package-version>  --values-file ./values.yaml --namespace tmc-local

• Pinniped - Active Directory Configuration
• Japanese Version: TMC-SM - Pinniped Active Directory連携環境でネストされたグループのユーザーがオブジェクトを表示できない