This Feature request is one of the solution that can be implemented for the goal of implementing the feature mentioned at CWD-5145 - Only users who have access to applications connected to Crowd should be synchronized from Crowd to those applications

When a directory is associated with an application in Crowd, all users and groups returned by the scope of the directory configuration are displayed in client applications. We should provide the ability to filter users/groups for client apps based on the ability to authenticate in the client app.

• Setup an LDAP server with users, only some are added to a group.
• Add the LDAP directory to crowd
• Login to crowd and under Applications, click on "Add Application".
• In the directories tab, remove the internal directory and add the LDAP directory (allow all to authenticate = false)
• In the groups tab, add the LDAP group
• Go to the users tab.

Expected: Only users from the LDAP group to be present, the rest have no permission to authenticate and are not part of the valid groups.
Actual: All users from the directory are present.

This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.