The issue isn't so much about preventing logins, instead it's more about controlling who's listed in Windchill teams.
Apache is going to limit logins to only users in the Windchill_Users group. Simple enough.
Inside Windchill I'm using other Active Directory groups to drive security (like Product_ABC_Users). There are many more users in this group than in the Windchill_Users group. This means all the users listed in the Product_ABC_Users group are being listed as members of Product_ABC when many of them don't even have login permissions to Windchill. I would like to filter the Product_ABC users to only the subset that are also a part of Windchill_Users.
The JNDI user filter does not appear to have any impact on members of existing groups.
Make sense?
