Groups are also a good way to manage users.
I have a DL/SG group in LDAP that I just drop and remove people in to gain access to the server.
Bind DN (For account/members lookup: CN=cmk_bind…
Bind Password: ***
I use LDAPs
TCP 636
Use SSL Yes
BaseDN: Main LDAP Domain
Search Scope: Search whole subtree
Search Filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN… Your LDAP groups
Keep special characters
Group BaseDN: OU=…
Search whole subtree
Search Filter: (objectclass=group)
Attribute: member
I sync Alias, Auth, Contact group, Email address, Roles (Then map roles to AD groups, currently 3)
Other: sync interval 10m