Customer found that while the LDAP People and groups were syncd, the membership of (certain) people in groups was not honored by Alfresco. They found that for some ldap records, they had objectclass 'inetorgperson' for others they had objectclass 'inetOrgPerson'. The case spelling prevented proper syncing of members in groups . After modifying the inetorgperson to inetOrgPerson the group membership was syncd. The LDAP query to sync persons is case insensitive, but query to sync groupmembers seems to be case sensitive.