The base DN and it's attempt to monitor everything below it will not work if you are in the OU=Users. This will not work, because it cannot search directly under the base DN which in this case would be uid(s). The only way around this would be to create a sub ou= under Users and migrate all UIDs into it, which for most instances would not work due to environmental dependencies. Thus to get ou=Users,ou=Applications,dc=ca,dc=com to work you would need to have in LDAP ou=new_ou_group,ou=Users,ou=Applications,dc=ca,dc=com. With this in mind, to manage the users in ou=Users it will need to have a base DN one level higher in the hierarchy which would result in ou=Applications,dc=ca,dc=com being utilized so it can discover users and manage them.