We have this LDAP "problem" in several customer setups:
LDAP is configured against a large user directory (e.g. a university)
Plone groups are mapped to groups in LDAP
Nothing special, everything is fine...except: every user in LDAP can usually login into such a portal which is possibly not a security issue as long as you do not automatically assign a role like Member.
A customer asks - for compliance reasons - to disallow logins from LDAP accounts that do not belong to a particular group. Any way to configure this in pas.plugins.ldap?
We have some complicated LDAP queries for Plone projects. Key is to get the correct query syntax. We tend to use a very comon base dn and then use subtree. Here is a example query excluding a specific group:
That's what I use too - it just works (and SSH tunnels to get to the LDAP from my local machine which is possible in most cases if you can tunnel to the server running Plone).