I would like to synchronize user accounts only if they are member of certain group in certain OU. The OU and group are dynamic. I know that a ldap search of memberOf are not searchable with wildcards, so how would you do that?
So if the user is a member of GroupOne in that exact structure, then synchronize that user from Active Directory to the AD LDS.
The simplest suggestion I can offer at the moment is to use a validSource script to check the contents of the source.memberOf, looking for the group name that you are interested in. Unfortunately, you won’t be able to rely on livesync on the ldap account for group membership changes, since those are maintained by the group object, not the account. For that reason, I suggest using a regular recon schedule on the accounts – not as fast as livesync, but it will consistently reflect the state of the group membership.