What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.

Same problem as

https://supportforums.cisco.com/message/3866327#3866327

debug ldap 255

shows correct value with one user that is workin:

[196] Authentication successful for Administrator to 192.168.20.80

[196] Retrieved User Attributes:

[196]   objectClass: value = top

[196]   objectClass: value = person

[196]   objectClass: value = organizationalPerson

[196]   objectClass: value = user

[196]   cn: value = Administrator

[196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne

[196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local

[196]   instanceType: value = 4

[196]   whenCreated: value = 20081201134058.0Z

[196]   whenChanged: value = 20131126141559.0Z

[196]   displayName: value = Administrator

[196]   uSNCreated: value = 12298

[196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local

[196]           mapped to Group-Policy: value = ssl_admin

[196]           mapped to LDAP-Class: value = ssl_admin

One user that is not working:

no entries with memberOf in debug

[190] Authentication successful for sdag to 192.168.20.80

[190] Retrieved User Attributes:

[190]   objectClass: value = top

[190]   objectClass: value = person

[190]   objectClass: value = organizationalPerson

[190]   objectClass: value = user

[190]   cn: value = sdag

[190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local

[190]   displayName: value = sdag

[190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini

[190]   proxyAddresses: value = smtp:sdag@xxxx

[190]   proxyAddresses: value = SMTP:sdag@xxxxx