After much trial and error, and some assumption on my part based on the existing UserSearch filter I have found the solution to my problem. I hope this helps anyone wanting to leverage existing groups and user memberships, while still having a specific, manageable, configuration for including Jasper Reports into the organization's directory services for authentication and wuthorization.
Refernced documentation:
http://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/mapping-user-roles
http://community.jaspersoft.com/blog/jasperserver-user-authentication-microsoft-active-directory
http://community.jaspersoft.com/wiki/secure-active-directoryldapldaps-authentication-groups
http://forum.spring.io/forum/spring-projects/data/ldap/107516-find-all-sub-groups-of-all-depths-of-a-given-group-in-ldap-using-ldaptemplate
I changed the group search filter from:
<value>(&(member={0})(objectclass=group)(cn=jasper_*))</value>
Which expects to find a user as a direct member of a group beginning with "jasper_" to match a role
to:
<property name="groupSearchFilter" value="(&((objectClass=group)(member:1.2.840.113556.1.4.1941:={0})(cn=jasper_*)))"/>
Which, like the userSearch, recursively searches through the user's memberships for a group matching "jasper_" to match and map a role.
It is my understanding based on what I've read from the Spring documentation and other posts that the recursive functionality is not present in all LDAP implementations. The referenced article https://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx indicates that the rule OID above:
1.2.840.113556.1.4.1941LDAP_MATCHING_RULE_IN_CHAINThis rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
