Given an Auth source LDAP with a filter like:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Red Hat Foreman Users,OU=Groups,OU=Unix,DC=example,DC=net))

with a base DN of 'DC=example, DC=net'

and a LDAP tree like:

- OU = Groups (OU=Unix, DC=example, DC=net..)
- CN = Red Hat Foreman Users
- CN = Foreman Admins

If one tries to add 'Foreman Admins' as an external user group, it will fail with a 500 LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException, as Foreman does not know how to handle this exception. The failure is fine as Foreman Admins doesn't match the LDAP Filter, however we should give better hints to the admin as to what's going on.

1. Foreman looks for the group Foreman Admins within it's base DN. Success
2. ldap_fluff lists all users for the group. Fail: it uses the LDAP filter to do this operation, and users in Foreman Admins will not satisfy "memberOf:1.2.840.113556.1.4.1941:=CN=Red Hat Foreman Users" (member of the Red Hat Foreman Users hierarchy), as it's a different hierarchy tree. It throws UIDNotFoundException, and Foreman doesn't know what to do at this point so it 500s.

Possible solutions:

1. Make sure we apply the filter also on group lookup on LDAP fluff.
2. Handle LdapFluff::Exception on the user group page in Foreman, and try to figure out the cause (say, lookup for the user list without the filter, if that works, explain what's going on)