ensure groups match filter when using memberOf to read users group, refs #17119

apps/user_ldap/group_ldap.php

@@ -378,9 +378,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 			&& intval($this->access->connection->useMemberOfToDetectMembership) === 1
 		) {
 			$groupDNs = $this->access->readAttribute($userDN, 'memberOf');
+
 			if (is_array($groupDNs)) {
+				$groupDNs = $this->access->groupsMatchFilter($groupDNs);
 				foreach ($groupDNs as $dn) {
-					$groups[] = $this->access->dn2groupname($dn);;
+					$groups[] = $this->access->dn2groupname($dn);
 				}
 			}
 			if($primaryGroup !== false) {

apps/user_ldap/lib/access.php

@@ -346,6 +346,33 @@ class Access extends LDAPUtility implements user\IUserTools {
 		return $this->dn2ocname($fdn, $ldapName, false);
 	}
 
+	/**
+	 * accepts an array of group DNs and tests whether they match the user
+	 * filter by doing read operations against the group entries. Returns an
+	 * array of DNs that match the filter.
+	 *
+	 * @param string[] $groupDNs
+	 * @return string[]
+	 */
+	public function groupsMatchFilter($groupDNs) {
+		$validGroupDNs = [];
+		foreach($groupDNs as $dn) {
+			$cacheKey = 'groupsMatchFilter-'.$dn;
+			if($this->connection->isCached($cacheKey)) {
+				if($this->connection->getFromCache($cacheKey)) {
+					$validGroupDNs[] = $dn;
+				}
+				continue;
+			}
+
+			$result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
+			if(is_array($result)) {
+				$validGroupDNs[] = $dn;
+			}
+		}
+		return $validGroupDNs;
+	}
+
 	/**
 	 * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
 	 * @param string $dn the dn of the user object