BitWarden support of LDAP Rule OIDs?

I am trying to apply a User filter of
(&(|(memberOf=CN=BitWarden Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)(memberOf:1.2.840.113556.1.4.1941:=CN=BitWarden Groups,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local))(memberOf:1.2.840.113556.1.4.1941:=CN=All Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)(!memberOf:1.2.840.113556.1.4.1941:=CN=BitWarden Excluded Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local))

Which, exploded for readability is

(&   
    (|
        (memberOf=CN=BitWarden Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)
        (memberOf:1.2.840.113556.1.4.1941:=CN=BitWarden Groups,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)     
    )
    (memberOf:1.2.840.113556.1.4.1941:=CN=All Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)     
    (!memberOf:1.2.840.113556.1.4.1941:=CN=BitWarden Excluded Users,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local)
)

So, basically

 if 
 (
     ($user is in Bitwarden Users OR  $User is in a group in bitwarden groups) 
     AND $user is in All Users group recursively (which they are only in if they have an email, so they don't get a bounce block) 
     AND the user is not being specifically excluded recursively 
 ) then they show up 

in my filter when i test with powershell this is correct, but when I input this and test it ($LDAPFilter | Set-ClipBoard, so no typos)
I get this

Does BitWarden not work with these rule OIDs?

I’ve been doing some poking around Github.
It looks like BitWarden does it’s LDAP searching through ldapjs probably from here. And according to that github at least

Note that ldapjs doesn’t support extensible matching, since it’s one of those features that almost nobody actually uses in practice.

memberOf:1.2.840.113556.1.4.1941 is an OID for an Extensible Matching rule called LDAP_MATCHING_RULE_TRANSITIVE_EVAL or LDAP_MATCHING_RULE_IN_CHAIN which essentially says “MemberOf this group, recursively”

So, it’s something that may have to be fixed at the ldapjs level, and also I guess I’m a nobody :frowning:

Yes unfortunately this seems to be a limitation of ldapjs. Sorry :-/