I am certainly not Cisco expert, but from a LDAP perspective, I do not think the memberOf attribute will be reliable.memberOf is an operationanal, (ie not user updatable), server side set recirpical value of the member Attribute from the group entry....