2 files changed, 24 insertions, 7 deletions

diff --git a/app/Core/Ldap/User.php b/app/Core/Ldap/User.php
index 4bc1f5f9..63bd1ccb 100644
--- a/app/Core/Ldap/User.php
+++ b/app/Core/Ldap/User.php
@@ -120,17 +120,25 @@ class User
             return null;
         }
 
+        // Init with smallest role
+        $role = Role::APP_USER ;
+
         foreach ($groupIds as $groupId) {
             $groupId = strtolower($groupId);
 
             if ($groupId === strtolower($this->getGroupAdminDn())) {
-                return Role::APP_ADMIN;
-            } elseif ($groupId === strtolower($this->getGroupManagerDn())) {
-                return Role::APP_MANAGER;
+                // Highest role found : we can and we must exit the loop
+                $role = Role::APP_ADMIN;
+                break;
+            }
+
+            if ($groupId === strtolower($this->getGroupManagerDn())) {
+                // Intermediate role found : we must continue to loop, maybe admin role after ?
+	        $role = Role::APP_MANAGER;
             }
         }
 
-        return Role::APP_USER;
+        return $role;
     }
 
     /**
diff --git a/tests/units/Core/Ldap/LdapUserTest.php b/tests/units/Core/Ldap/LdapUserTest.php
index 143a8c0d..335a699b 100644
--- a/tests/units/Core/Ldap/LdapUserTest.php
+++ b/tests/units/Core/Ldap/LdapUserTest.php
@@ -231,8 +231,10 @@ class LdapUserTest extends Base
                     0 => 'my_ldap_user',
                 ),
                 'memberof' => array(
-                    'count' => 1,
-                    0 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+                    'count' => 3,
+                    0 => 'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                    1 => 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                    2 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
                 ),
                 0 => 'displayname',
                 1 => 'mail',
@@ -301,7 +303,14 @@ class LdapUserTest extends Base
         $this->assertEquals('My LDAP user', $user->getName());
         $this->assertEquals('user1@localhost', $user->getEmail());
         $this->assertEquals(Role::APP_ADMIN, $user->getRole());
-        $this->assertEquals(array('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(
+            array(
+                'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+            ),
+            $user->getExternalGroupIds()
+        );
         $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
     }