When the LDAP_APPLICATION_ID option is used, the logic checks the ISAM and SQL group membership (if those keywords are used) after authenticating the application ID and before authenticating the user ID. This is done because the user ID might not have been assigned the permissions needed to check group membership.
Perform LDAP_GROUP_CHECK in Context of LDAP Application ID
The check for group membership, configured by the LDAP_GROUP_CHECK option, was done in the context of the user account that was logging on. However, the user account might not have permission to query its LDAP groups.
The logic has been enhanced so that, if an LDAP application is specified (by specifying the LDAP_APPLICATION_ID option in the SUBSYSTEM USER_AUTH LDAP block in ctsrvr.cfg), it now performs the LDAP_GROUP_CHECK in the context of the LDAP application ID. This is consistent with what is done for the LDAP_ISAM_ALLOWED_GROUP and LDAP_SQL_ALLOWED_GROUP options.
When LDAP_APPLICATION_ID is specified, you MUST also use LDAP_KEY_STORE to specify an application password, otherwise the application authentication will fail.
Note: When LDAP_APPLICATION_ID is not specified the logic behaves as before, using the current user ID for lookup.