I occasionally dabble in a bit of LDAP and I am always chuffed when things work. It's quite a complex thing to deal with and we are spoilt when dealing with AD (which hides all that LDAP stuff under the hood).
One tool I can recommend is AD Explorer from Microsoft SysInternals
Use this tool to bind to your LDAP/AD directory to see where things live and what attributes they have. I had to use this recently to figure out why things were failing when I switched my ISE AuthZ Condition from AD to LDAP and it kept failing.
In my example below I was checking whether a user was a member of the AD Security Group called "ise-readonly". I could do it in two ways. In the first case I assigned the AD user's primary group to be "ise-readonly" which is something you probably can't always rely on. But in the second case, I managed to match the user's group membership by importing that group name from LDAP, and then using it in the AuthZ. The trick with the "memberOf" was that my LDAP setup config was not right to start with, and ISE was failing to read the LDAP Group table from AD.
