So it seems like the only way I can get LDAP auth working with our AD server is to specify the OU in the base. However, our users are broken up into multiple OU's. How exactly do I specify a base that will allow the LDAP plugin to find all the users in the different OU's? I can't seem to get this working.

My settings:
bind: CN=Administrator,CN=Users,DC=domain,DC=local
base: OU=Information Technology,DC=domain,DC=local
filter: sAMAccountName=%s

It works this way, but obviously will only authenticate users in the "Information Technology" OU. If I remove the OU from the base, it won't authenticate anybody at all. Is there any way to do this?