Hi Cyril,
Unfortunately we're still using CA RA 5.5 (hope to upgrade soon...) !
But we are using only one AD.
I think the issue is about attribute mapping.
When I import a LDAP user, I can specify the attribute mapping (by default USER_NAME=samaccountname,GIVEN_NAME=givenname,SURNAME=sn,EMAIL=email,SECURITY_CONTEXT=userprincipalname), then I am able to put another attribute in SECURITY_CONTEXT.
But when I import a LDAP group, there is no way to specify the attribute mapping and userprincipalname is always used as SECURITY CONTEXT, and then some users are not able to login because they don't have a userprincipalname attribute.
I wonder if there is a setting somewhere in a config file to change this behaviour ?