Finally, the authentication routine of the LDAP provider must be extended so that the mapping occurs during a login.
This includes the following situations:
User new, no mapping activated → Default group
User exists, no mapping activated → Stay current group
User new, no mapping found → Default group
User new, mapping available → Mapping group
User existing, no mapping → Default group
User existing, new mapping → Mapping group
User present, mapping present but invalid → Default group
I have included the different situations in the technical task. If you think of anything else, please add it. Especially the last point I would like to clarify if this is ok.