With LDAP authorization, you can currently only take an AD group in which the AD users are direct members. It would be good if you could also select an AD group that has other AD groups as members.