refactor code and add filter logic to group sync

app/models/ldap_group_link.rb

@@ -2,7 +2,7 @@ class LdapGroupLink < ActiveRecord::Base
   include Gitlab::Access
   belongs_to :group
 
-  NIL_ATTRIBUTES = %w[cn filter].freeze
+  BLANK_ATTRIBUTES = %w[cn filter].freeze
 
   validates :cn, :group_access, :group_id, presence: true, unless: :filter
   validates :cn, uniqueness: { scope: [:group_id, :provider] }, unless: :filter
@@ -14,7 +14,7 @@ class LdapGroupLink < ActiveRecord::Base
 
   scope :with_provider, ->(provider) { where(provider: provider) }
 
-  before_save :update_blank_attributes
+  before_save :nullify_blank_attributes
 
   def access_field
     group_access
@@ -37,7 +37,7 @@ class LdapGroupLink < ActiveRecord::Base
 
   private
 
-  def update_blank_attributes
-    NIL_ATTRIBUTES.each { |attr| self[attr] = nil if self[attr].blank? }
+  def nullify_blank_attributes
+    BLANK_ATTRIBUTES.each { |attr| self[attr] = nil if self[attr].blank? }
   end
 end

ee/lib/ee/gitlab/ldap/sync/group.rb

@@ -74,7 +74,7 @@ module EE
             access_levels = AccessLevels.new
             # Only iterate over group links for the current provider
             group.ldap_group_links.with_provider(provider).each do |group_link|
-              if member_dns = dns_for_group_cn(group_link.cn)
+              if member_dns = get_member_dns(group_link)
                 access_levels.set(member_dns, to: group_link.group_access)
                 logger.debug do
                   "Resolved '#{group.name}' group member access: #{access_levels.to_hash}"
@@ -88,6 +88,10 @@ module EE
 
           private
 
+          def get_member_dns(group_link)
+            group_link.cn ? dns_for_group_cn(group_link.cn) : UserFilter.filter(@proxy, group_link.filter)
+          end
+
           def dns_for_group_cn(group_cn)
             proxy.dns_for_group_cn(group_cn)
           end