Has anyone had success with vCloud Director using OpenLDAP for Athentication?

I have vCloud Director running which appears to be fine. I have populated my OpenLDAP with, Top Level:

dc=vcloud,dc=tc,dc=xyz,dc=com

cn=admin,dc=vcloud,dc=tc,dc=xyz,dc=com

Users & Groups OU's:

ou=users,dc=vcloud,dc=tc,dc=xyz,dc=com

ou=groups,dc=vcloud,dc=tc,dc=xyz,dc=com

Users & Groups

cn=premium,ou=groups,dc=vcloud,dc=tc,dc=xyz,dc=com

cn=basic,ou=groups,dc=vcloud,dc=tc,dc=xyz,dc=com

cn=guest,ou=users,dc=vcloud,dc=tc,dc=xyz,dc=com

cn=vcduser,ou=users,dc=vcloud,dc=tc,dc=xyz,dc=com

Next I modified the LDAP Settings from the MS AD LDAP field names to match the OpenLDAP defaults:

User Attributes:

- Object class: inetOrgPerson

- Unique identifier: uidNumber

- User name: uid

- Display name: displayName

- Given name: givenName

- Surename: sn

- Email: mail

- Telephone: mobile

- Group membership identifier: dn

- Group back link: tokenGroups

GroupAttributes:

- Object class: posixGroup

- Unique identfier: gidNumber

- Name: cn

- Membership: memberUid

- Group Membership Identifier: memberUid

- Group back link identifier: objectSid

After Aplying the setting, I then clieck "Test LDAP Settings".

- The user attributes come back fine

- The Group Attributes, 'Group name' & 'Group Unique Identifier' fail (red circle with line through it).

To try and diagnose, I put OpenLDAP into debug mode (-d -1) and then worked throught he thousands of lines. Here is what jumped out at me:

For the user lookup I saw:

<SNIP>

conn=1003 op=1 SRCH base="dc=vcloud,dc=tc,dc=xyz,dc=com" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson))"
conn=1003 op=1 SRCH attr=displayName mail givenName inetOrgPerson uidNumber sn mobile uid dn objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation

</SNIP>

The two usernames "guest" and "vcduser" were returned after which I saw seperate queries for all their attributes. Happy with that.

Further down in the debug I witnessed:

<SNIP>

attrs: cn posixGroup gidNumber memberUid objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
conn=1003 op=3 SRCH base="dc=vcloud,dc=tc,dc=xyz,dc=com" scope=2 deref=3 filter="(&(objectClass=posixGroup)(?=false))"
conn=1003 op=3 SRCH attr=cn posixGroup gidNumber memberUid objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation

</SNIP>

Note that this time the filter states: (&(objectClass=posixGroup)(?=false))

For this I see "hdb_search: no candidates"

If I try these both on the command line:

     sudo ldapsearch -xLLL -b "dc=vcloud,dc=tc,dc=zyz,dc=com" -D "cn=admin,dc=vcloud,dc=tc,dc=xyz,dc=com" -w xxxxxxxx  "(&(objectClass=inetOrgPerson))"

Returns two users. However, this:

     sudo ldapsearch -xLLL -b "dc=vcloud,dc=tc,dc=xyz,dc=com" -D "cn=admin,dc=vcloud,dc=tc,dc=xyz,dc=com" -w xxxxxxxx "(&(objectClass=posixGroup)(?=false))"

Returns:

     ldapsearch: ldap_search_ext: Bad search filter (-7)

So, finally, the question. Is vCloud Director broken or is it OpenLDAP?

I have attached a complete dump of my LDAP Server:

Ubuntu 10.10

/usr/sbin/slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Nov 19 2010 17:41:28) $
        buildd@allspice:/build/buildd/openldap-2.4.23/debian/build/servers/slapd

Any advice appreciated.