would like to share my actual Deployment working with Active Directory. This post helped me a lot in configuring my flowable 6.4.0 setup:
ldap.enabled=true
ldap.server=ldap://<SRVDC>
ldap.port=389
ldap.user=<USER>
ldap.password=<PASSWD>
ldap.base-dn=<BASEDN>
ldap.user-base-dn=<SPECIFIC DN for USERS>
ldap.group-base-dn=<SPECIFIC DN for GROUPS>
ldap.query.user-by-id=(&(objectClass=user)(|(distinguishedName={0})(sAMAccountName={0})(mail={0})))
ldap.query.user-by-full-name-like=(&(objectClass=user)(|(givenName={1})(sn={3})(sAmAccountName={3})))
ldap.query.all-users=(objectclass=user)
ldap.query.groups-for-user=(&(objectCategory=group)(member={0}))
ldap.query.all-groups=(objectClass=group)
ldap.attribute.user-id=distinguishedName
ldap.attribute.first-name=givenName
ldap.attribute.last-name=sn
ldap.attribute.email=mail
ldap.attribute.group-id=sAMAccountName
ldap.attribute.group-name=cn
ldap.groupIdAttribute=sAMAccountName
ldap.groupNameAttribute=cn
ldap.groupCacheSize=10000
ldap.groupCacheExpirationTime=180000
I had a lot of trouble with the ldap.user-base-dn and ldap.group-base-dn as i always got a REFERRAL Error from the IDM service, so i had to change the Base DN to a specific OU where our users are stored and not use the BASE DN.
Had to change the user-id attribute to distinguishedName to get the group membership working.
With the actual setup a user can login by sAMAccountname and EMail.
Hope it helps someone.