The group membership check currently always checks the DN that is stored in the user profile if there is any. This makes the group membership test fail when the DN changes. This doesn't match what the authenticator does. From my understanding of the code, the authenticator doesn't specify any DN (just null) if the bind DN is explicitly specified and otherwise by default passes the user name that is entered in the login form as DN.

It seems much safer (and fixes the wrong disabling of the user account) to always pass null as DN to the group membership check.