Allow or forbid users from certain AD group does not work on subwikis

[AndreeaChi]

I tested in turns the following on a Cloud 14.4.7 with AD v1.15 installed on farm from the main wiki. On the main wiki both ALLOW ACTIVE DIRECTORY AUTHENTICATION ONLY TO CERTAIN GROUP and FORBID ACTIVE DIRECTORY AUTHENTICATION TO CERTAIN GROUP work well.

I now leave on the main wiki the CN=QA,CN=Users,DC=xwiki,DC=com in the FORBID ACTIVE DIRECTORY AUTHENTICATION TO CERTAIN GROUP, the user TestUser from this QA group cannot login on the main wiki, upon login attempt it is shown Error - Invalid credentials. The user XWikiUserOne from a different AD group, Testers, can login on the main wiki. I have deleted the XWikiUserOne from the main wiki to have a clean slate for the next test.

Steps to reproduce on a new subwiki

1. Create a subwiki with Only global users are available in the wiki and Only an admin can send invitations to join this wiki. I have also tested with
2. Configure AD and add in the ALLOW ACTIVE DIRECTORY AUTHENTICATION ONLY TO CERTAIN GROUP the CN=QA,CN=Users,DC=xwiki,DC=com .
3. One result happening that is fine to have - I can login with Test User from the QA AD group.

Expected result: I cannot login on the subwiki with the XWikiUserOne user from the group Testers.

Actual result: I can login with the XWikiUserOne on the subwiki.

[oanalavinia]

The problem comes from ldap application, specifically from here

The idea is that when the local login fails (because the user was not part of the specified group), the global login is tried, which will work in this case since nothing is specified on main wiki ALLOW ACTIVE DIRECTORY AUTHENTICATION ONLY TO CERTAIN GROUP property
The same will happen with the exclude groups.. field, if the main wiki config will allow an excluded user to login.

I'll open an issue on the ldap jira

The workaround for now is to have on the main wiki the configuration needed for all subwikis. But this is hardly appropriate for everyone

[oanalavinia]

Following the discussion on the linked LDAP issue https://jira.xwiki.org/browse/LDAP-128 , this is the expected behaviour.
When login in on a subwiki fails, it falls-back on the main wiki login. In this case, the XWikiUserOne is a global user and is going through the main wiki configurations, which will allow him to login. So those options in the configurations are only available to local users, it cannot affect global ones. I will update the hint to specify it.
Regarding the needed restrictions, these should be achieved through rights management. The options you are mentioning does not control access to the wiki, it controls who is allowed to authenticate at this wiki level.
See https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases#HEnableLDAPbydefaultforallwikisandthendisableitonlyonwikiswhereyoudon27twantit for a similar case