>Yes, this filter is better.  The result is a list of groups the user is a 
>direct member of.  But it does not list nested groups.  I guess if groupA is 
>a member of groupB, user chere is a member of groupA, I want a query on group 
>membership of user chere, both groupA and groupB should be listed.

The tokenGroups attribute of a user contains an expanded list of 
nested groups.

>domain.  Is this all normal?   Why do I have to use 
>(member=cn=chere,cn=users,dc=zhou,dc=com), instead of (member=cn=chere,*)?  
>Well, the (member=cn=chere,*) does not work, I don't know why.

There is no substring matching rule for distinguished names.

