I managed to get Active Directory integration mostly working right now. The only problem is that I want to set the principal's username attribute to sAMAccountName instead of CN. This seems to work, but then it blows up the Groups and Roles and I don't see any groups or roles anymore as soon as I change the Username Attribute. Using different OUs don't seem to help the situation of no Roles or Groups.

This is mostly because my CN names will end up being Firstname Lastname as opposed to their NT logins. The firstname lastname type of username will probably confuse the users when they're used to NT Logins.

When username attribute = cn, then:
Groups map to Groups
Roles map to Roles

When username attribute = sAMAccountName, then:
Groups map to nothing
Roles map to nothing