LDAP -AD Default role assignments upon first login

[joaobrazuna]

It would be nice if, upon the 1st login, if the LDAP-AD user does not belong to any ldapRole, (i.e. does not belong to any Group from AD LDAP), the login should be refused.
Meaning, that only users that belong to ldapRole / AD groups can login on leantime.

[adocampo]

Agree.

Leantime should let the admin filter by group. Currently just one OU can log in into the system. So I can let everybody log in or just one OU. Usually, in a company there are several OU (one for each department), and many administrators create the "Users" OU inside the "Department" OU to have all the LDAP tidier... so, now I can let everyone log in with LEAN_LDAP_DN: "DC=domain,DC=lan" or a single OU with LEAN_LDAP_DN: "OU=Users,OU=IT Department,DC=domain,DC=lan".

The first is too lax, as we probably don't want everyone to use the tool, and the other too restrictive, as it would leave other OUs out. An LDAP filter would be great, something like (memberof=CN=Leantime,OU=Security Groups,DC=company,DC=lan), so anyone who belongs to the group "Leantime" should be able to connect.