In our AD we have a parent OU called "Corp Accounts" and within that we have various OU's such as "Contractors", "Staff", "Equipment", "Service Accounts" and so on.
I'm currently using LDAP authentication on our SA, but I can only get it to work at the "OU=Corp Accounts...." level, when ideally I want to restrict it so that only users in "Staff" and "Contractors" can authenticate (as accounts for things such as equipment and service accounts should never need to be using a VPN).
I know I can filter on group membership but that's additional overhead and relies on us doing something other than simply dropping accounts in the relevant OU.
Can I do this with a filter or anything?
Role mapping should be able achieve your requirement.
If you point your base DN to Corp Accounts, and use filter cn=* you should get all groups available under all OU's within Corp Accounts.
This way you can limit authentication/authorization to only groups that belong to "Staff" and "Contractors".
It does to an extent, however we have some roles where I want to say "Anyone who logs on", and I don't want to have to start adding people to a distinct VPN Users group.
In reality it's not a significant risk but it would be nice to take the option away for a projector or a meeting room to be able to log on.