When configuring a Group Serch Filter in Jenkins it is not evaluated. Step-Debugging the Plugin reveals that the AuthoritiesPopulatorImpl holds the default value in groupSearchFilter. Setting a Group memberhsip filter causes the groupSearchFilter Field in AuthoritiesPopulatorImpl to hold the Group membership filter.

Our Group configuration in LDAP is a tree following this schema:

ou:Project ---> ou:Tool ---> cn: posixGroup

We use Group Search Filters to match the correct ou to search Groups having the same Groupname may exist in other tool OUs. The filter used is (ou:dn:=ci) as the Tools ou we host our Jenkins groups in is called ci. Having a group admin in this ou and having a group admin in another ou causes that other Group to also be matched. 

My discovery is, that with a Group Search Filter set in the LDAP Configuration, the AuthoritiesPopulatorImpl holds the Filter "(| (member={0}) (uniqueMember={0}) (memberUid={1}))" in the groupSearchFilter field. As a fix I was able to set the Group membership filter to "(&(ou:dn:=ci)(memberUid={1}))".

Possible fixes: Either drop the Group search filter field entirely as it seems disused or restore usage of this field