I have dealt with this in the past, the problem was that the user id was not stored in the correct format in the group attribute (full DN syntax). So we needed to pull the username (cn) off of the user attributes, and query the user CN against the groups.
The attached ruleset along with screenshots does this.
openldap.zip 62.9 K
it is working fine.
Thank you very much!