>> Perfect, so to be clear, all the backend servers need to have identical user objects?
Yes.
>> Is there another strategy I could use to pull in users from different ldap servers (AD + OpenLDAP in this case).
This might be possible but need some hacking as it is not supported out of the box. Also we might need add some features in manage_authentication code which will allow Gluu Server to authenticate different backend servers which has different types of DN tree.