How do I restrict LDAP logins to only a subset of our LDAP accounts?

We're on YouTrack 6 and using the LDAP authentication module. In our case our LDAP server has all our customer users in it as well as our staff. For obvious reasons we only want our staff to be able to use internal software like YouTrack. To this end we have an attribute PIapplications=youtrack set for staff records.

I tried altering the filter to
which correctly is returning zero or one entries to youtrack but still allows login. Is it possible to do things this way?

Attached is the relevant section of my 389DS server log

ldap_log.txt (1.4KB)

Please sign in to leave a comment.