Having configured an Active Directory backend which uses groups in groups.
For login everything works fine when using a filter like memberOf:1.2.840.113556.1.4.1941:=..., so users can login while being member of a group which is member of the group used in the filter.
But external group mapping does not work as expected. When the group from the filter is used it does not map the users to the role. When the group is used which the user is directly a member of, it works like it should.

LDAP Authentication is configured with hammer like this:

hammer auth-source ldap create \
 --name "Management-AD" \
 --host "ad.example.com" \
 --tls true \
 --port 636 \
 --server-type "active_directory" \
 --account "foreman@example.com" \
 --account-password "password" \
 --base-dn "DC=example,DC=com" \
 --groups-base "DC=example,DC=com" \
 --ldap-filter "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Foreman,DC=example,DC=com))" \
 --onthefly-register true \
 --usergroup-sync true \
 --attr-login "sAMAccountName" \
 --attr-firstname "givenName" \
 --attr-lastname "sn" \
 --attr-mail "mail" \
 --location "location" \
 --organization "organization" 

From what I have seen the ldap_fluff has a recursive group search for active directory, but I am not sure if this is used at all.