I use: User naming attribute: sAMAccountName Group naming attribute: sAMAccountName Group member attribute: memberof And if I recall, the groups are only returned if they match a local pfSense group (must have the same name).