Our issue has been solved. In addition to posting here we also opened a case with IBM. Their recommendation was to remove the ARS_LDAP_GROUP_USER_FILTER_USE_DN parameter altogether. After we removed it, users were successfully added to the appropriate groups.

Our installation is on Windows 2019 running version 10.5.0.4 We are in the process of testing arslsync and are finding that users are being successfully created in CMOD but they are not being inserted into the CMOD group that matches the LDAP groups from which we are syncing.

Is that an invalid expectation? Or would we be missing something in our LDAP parameters?

Here is what we have entered for some of the LDAP parameters:

ARS_LDAP_BIND_ATTRIBUTE=uid
ARS_LDAP_GROUP_FILTER=(&(objectclass=groupOfUniqueNames)(|(cn=11400_DS_CMOD_Dev_Testers)(cn=11400_DS_CMOD_Dev_Developers)))
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_GROUP_USER_FILTER_USE_DN=FALSE
ARS_LDAP_IGN_GROUPS=Claims,Contract-Management,Drug-Rebate,EDI,EPSDT,Financial,Fraud-Abuse(SUR),MAR,Med-Buy-In,Oracle-Accounting,Oracle-Premiums,Provider,Recipient-Eligibility,Recipient-Enrollment,Reference,Remittance-Advice,RRI,System-Wide,Tester,TPL
ARS_LDAP_MAPPED_ATTRIBUTE=uid
ARS_LDAP_SERVER_TYPE=OPEN
ARS_LDAP_SYNC_USERS_ONLY=FALSE
ARS_LDAP_USER_FILTER=(&(objectclass=memberPerson)(|(isMemberOf=cn=11400_DS_CMOD_Dev_Testers,ou=Groups,dc=thirdparty,dc=tn,dc=gov)(isMemberOf=cn=11400_DS_CMOD_Dev_Developers,ou=Groups,dc=thirdparty,dc=tn,dc=gov)))

We are also looking at implementing using arslsync and also would want the user name populated. In our installation the LDAP is external and is supported by another vendor. Since we are not the administrators of the LDAP we won't be directly logging on to the LDAP. In our case, having the user names included in CMOD as well as the LDAP will be helpful for validation and reporting. When we get a help ticket for a user it would be good to be able to see that the user ID supplied belongs to the person specified in the help ticket.