LDAP: Add filter based on memberOf

[tigre-bleu]

LDAP authentication is great. In our use case, it would be useful to have a filter based on the AD groups the user is member of. Only member of the "Crackerjack" security group in AD should be able to log in.

In the same way, another group could be used to configure if the user shall be admin or not in Crackerjack.

[sadreck]

This is a good recommendation, can you try specifying the OU in the settings to be the one for the CrackerJack users?

As for the admin one, it'd also be a good addition, but originally I've kept it separate to avoid being locked out if the LDAP server was down - by forcing to use local accounts.

[tigre-bleu]

Depending on the layout of the AD, in the same OU some accounts shall be allowed to login and other not hence the filter on group membership rather than OU.

Regarding admin accounts, you could still try to authenticate locally and LDAP, whichever succeeds.