Resolution: Won't Fix
When the LDAP import method is set to Group, LDAP first imports all the groups that can be found from its configuration, then imports the users that belong to those groups. Users not belonging to the set of groups found by LDAP should never be imported.
However, LDAP authentication currently does not honor this configuration. LDAP authentication imports the user from the server without checking first to see if they are a member of a group that belongs to the LDAP server.
Steps to Reproduce
1. Create a Active Directory server with a group and a user who does not belong to the group.
2. Navigate to Control Panel > Instance Settings > LDAP > General.
3. Check the Enabled box and click the Save button.
4. Navigate to Control Panel > Instance Settings > LDAP > Import.
5. Check the Enable Import and Enable Import on Startup boxes.
6. Change the Import Method to Group.
7. Click the Save button.
8. Navigate to Control Panel > Instance Settings > LDAP > Servers.
9. Add a Server configuration pointing to the Active Directory server you set up in step 1. For the Groups Import Search Filter, create a filter pointing to the group you created in step 1. For instance, if the group's name was "My Group", the Import Search Filter might look like:
10. Restart the server and wait for the LDAP import to complete.
11. Verify that the user from step 1 was NOT imported since the user does not belong to the group, and the LDAP import method is set to Group.
12. Attempt to log in as the user from step 1.
Expected Result: The login fails because the user should not be imported by LDAP.
Actual Result: The user is imported from LDAP and the login succeeds.
- mentioned in