Just to make sure I understand correctly
"hoping that only user in GESB-CARA-Users can login. "
Why you import LDAP users if you want to manage the permission and the authorization only for GESB-CARA-Users group members?
"Then the permission for the local groups or imported ldap user will determine what the user can do in ROC and ASAP."
When you say local groups you referring to local groups you created in RA or LDAP groups you imported?
In general its better to not mix between import users and groups (Work only with imported groups or imported users
In the applicationContext-acegi-security.xml the groupSearchFilter is wrong , try to leave it with the default value
<b:property name="groupSearchFilter" value="(|(uniqueMember={0})(member={0}))" />
Can you specify the dn for GESB-CARA-Users group?
Jacky