How to prevent Sametime users from logging in when using LDAP reloaded !

Today i finished the setup of  Sametime for a client in my city.  The MS AD administrator asked about how to prevent users from loggin in  based on a Group.
Sametime doesn't have this kind of police. If you use the TN 1166845 the solution is to add a new attribute for every user. :-(.

This workaround doesn't meet our requirements (restricting using groups). I change the LDAP search filter in stconfig.nsf from;

Search filter for resolving person names: (&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)
(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)
(sn=%s)(mail=%s)))

To:

Search filter for resolving person names: (&(objectclass=organizationalPerson)(memberOf=CN=GroupName,OU=OUName,DC=domain,DC=com,DC=br)(|(cn=%s*)(givenname=%s*)
(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(memberOf=CN=GroupName,OU=OUName,DC=domain,DC=com,DC=br)(|(cn=%s)(givenname=%s)
(sn=%s)(mail=%s)))

Reboot the Sametime and it will work.