authentication and verify user part of ldap group

[sukumarkonduru]

I am using APIs to verify credentials and also make sure user is part of either of two ldap groups to access the application. I enabled debugging and able to verify that user is authenticated successfully. However, when it is searching for the groups, I see the following and retrieves hundreds of users (maybe all users)

------------------
Searching for groups for specific user with filter '(&(objectclass=group)(member=CN=CHINNI,OU=Information_Services,OU=KMC,DC=Kids,DC=med))' , base 'cn=users,DC=Kids,DC=med' and scope 'LEVEL'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(member=CN=CHINNI,OU=Information_Services,OU=KMC,DC=Kids,DC=med))' , base 'cn=users,DC=Kids,DC=med' and scope 'LEVEL'
-----------------------------------------

When I print in save_user(dn, username, data, memberships), the memberships contains hundreds of users which I can't even see all of them as it is getting cutoff. I thought I will see groups (10 or so) that are user is part of. When I do same following filter in AD, I see only group names

(member=CN=CHINNI,OU=Information_Services,OU=KMC,DC=Kids,DC=med))' , base 'cn=users,DC=Kids,DC=med' and scope 'LEVEL'
-----------------

Appreciate help to understand what is this memberships means and how do I get only group names that user belongs so that I can iterate to make sure he is part of proper group. System freezes as it is getting all users.

Edited by @gmacon 2020-02-24: Literal formatting for log outputs.

[gmacon]

I suspect you're seeing only the groups that the currently authenticating user is a member of, but, because the group membership is stored on the group object, you're also seeing every other user who is a member of those groups. You should be able to extract the information you care about and ignore everything else.