Not sure we were having the same problem.
My problem certainly looked like yours.
From my SunEnterpriseSystem LDAP server
access log (SunONE, or iPlanet), I saw:
In other words, all groups under ou=groups,o=root
were assigned to the authenticated user.
The problem of course is the filter.
It should be (uniqueMember=username)
What I did was to modify
original: answer = ctx.search(rolesCtxDN, roleFilter.toString(), filterArgs, controls);
new: answer = ctx.search(rolesCtxDN, "("+uidAttrName+"="+userToMatch+")", controls);