I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: > dn: uid=testuser at mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testuser at mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong?