How the configuration is used
With the above configuration, when the cache refreshes, it will download all the users using the query (objectClass=user) and store each returned user in a map against its dn. Then it will do the same for groups using the query (userClass=group). Once all the objects are downloaded, it will consider each user in turn (because Groups hold members is not set, which means that user object hold the groups to which they belong. For each user, it will retrieve all memberOf attributes (as configured by the Group mapping attribute). Each memberOf attribute will hold the identifier of a group to which this belongs. In the case of a typical Active Directory configuration, this identifier is the dn of the group object. This identifier will be looked up in the map (which holds the group objects against their unique identifier – a dn) and will find a group object. Once all the memberOf attributes have been considered, we will have a list of all the group objects. We can then establish the names of the users and groups from the objects we have by finding the value of the sAMAccountName attribute (as configured in the User Name and Group Name entries). Once all the above is complete, we will have a user name and a list of group names and this information will be inserted in to the cache.