why should you need both configs? did you place your two configs in two independant subsystems? For my understanding the second one including the group memberOf filter should be fine for both (sync & login).
How does your authentication.chain look like?
Please check you have autoCreatePeopleOnLogin disabled to prevent user creating from any successfull ldap auth request ignoring your sync paths:
# Should we auto create a missing person on log in?