Hi, Joel. I think there may some confusion here. When an external backend LDAP server is involved, integrating it with Gluu Server usually splits into two different parts: 1. You configure [Cacher Refresh](https://gluu.org/docs/ce/3.1.6/user-management/ldap-sync/) to pull user entries from your AD server(s) into Gluu's own internal LDAP sever 2. You configure authentication in such way oxAuth will verify user credentials against your AD server(s) (using a simple LDAP bind operation) - this assumes you use basic LDAP-based authentication For both parts it's possible to customize the flow in certain limits, using custom scripts written in Jython. So, for example, you could import your users from AD server1, and when each of them is processed, you could query AD server 2 from inside the custom script, loading group data and processing it (like, adding a new attribute to each user containing list of groups they are in) Then in your authentication custom script you'll be checking this attribute on local user entries, if needed, or just include it as a claim when serving SSO requests from your apps, allowing them to do authorization (not sure what is you final goal here). Please note that helping with custom scripts writing is not covered by Community Support, though.