user_verify_class = LDAP, DB
‘LDAPBaseDN’ => ‘cn=users,dc=hq,dc=domain,dc=net’,
‘LDAPbinddn’ => ‘cn=admin;cn=users;dc=hq;dc=domain;dc=net:password’,
‘LDAPmailattribute’ => ‘mail’,
‘LDAPserver’ => ‘domaincontroller’,
‘LDAPuidattribute’ => ‘samaccountname’,
‘user_verify_class’ => ‘LDAP,DB’,
You can verify the BaseDN and binddn parts by looking at the AD Users and Computers.

if you go to the « User Authentication » section of the
parameters page you can specify usernames only in emailregexp and then
automatically append the email address with emailsuffix. this might be
what you are looking for.
make sure that your admin user has Account Operator’s group membership in the AD domain

you can pick whatever Active Directory/LDAP field
you want to use for identifing your users via the « login » blank – this is
set in the LDAPuidattribute field. I selected samaccountname