I was about to give up on this plugin until I discovered the dir_scope option. It's mentioned in the source but not (currently) in the configuration example. It defaults to 1, but for some reason that never allowed users to be found in my schema. I set it to 2, which started working, but I had to patch the code. I kept getting errors about requiring integers instead of unicode, so I wrapped each use of scope inside _dir_search with int(). (r12025 of auth.py) This finally allowed my users to be authenticated, and group permissions are working too (at lead the TRAC_ADMIN group). I've been looking for this functionality for a long time, so thank you!
The source documents dir_scope to have values of 0, 1, 2, which correspond in theory to the LDAP Python module's ldap.SCOPE_BASE, ldap.SCOPE_ONELEVEL, ldap.SCOPE_SUBTREE. While those values are unlikely to change, perhaps a lookup from the number values to the ldap module constants would guarantee future compatibility better than just passing the raw numbers in?