I'm trying to setup external authentication for a 6.5 FMC but running into some issues.  Currently the FMC has LDAP authentication setup for AnyConnect connectivity, and if i try to Fetch DNs or Fetch Attrib those both return values, but when I try to test a user that I know is in the group by domain\user1 or just entering user1 it fails.  Active Directory is 2016.  I'm currently using the following settings:

Base Dn - dc=domain,dc=local

UI Access Attribute - sAMAccountName
Shell Access Attribute - sAMAccountName

Administrator - CN=ftdaccess,OU=Security Groups,DC=domain,DC=local
Group Member Attribute - memberOf (I also tried just member w/ the same results)
Shell Access Filter - Same as Base Filter is checked

When I expand the test results i do see the following:

The server query size limit was exceeded. Use the Base Filter to reduce the number of records retrieved.
See Test Output for details.
Error
Test Failed: The search for your test user using your current parameters failed; please verify your authentication settings and test user credentials.
External Authentication Object
Authentication Method
CAC Use for CAC authentication and authorization
Name
LDAP
Description
LDAP Authentication FMC
Server Type
Primary Server
Host Name/IP Address
172.16.20.25
ex. IP or hostname
Port
389

The test user in question is a member of 2 groups (Domain Users and ftdaccess).  Should I set the base DN to a path that mirrors the OU that members of the group should be limited to?