Here's my roster filter:
Here's the ejabberd.log:
It may be useful for the %u substitution to work in the ldap_rfilter. In my specific case, the LDAP server returns a limited result set which may not include all the LDAP groups the given user, %u, belongs to. One obvious solution on my side is to ask the LDAP administrator to not limit the search results. But, it may also be useful to limit the LDAP query itself based on the user, %u.