We are having this strange issue. We can create and maintain user attributes through our ldap connection against AD. We do experience a problem using the ldapGroups attribute on an assignment in order to assign the user to an ad group.
I have added the base context to the connector, and manually added the users the group with the same credentials as IDM to check permissions. There is nothing in the logs. Any ideas on what to try next?
It turned out there were two AD servers and the DNS lookup returned either on a round-robin based tactic. When IDM logged in on one server and tried to update a user on the other it would fail, which happened about half of the time. We switched the url to reference the same server every time and now the failures seem to be a thing of the past.