ldap.alternateBaseDN – a second DN in the directory can optionally be set. If set, the alternate base DN will be used for authentication and loading single users, but will not be used to display a list of users (due to technical limitations).
So it seems my problem is due to tech limitations, my question now is:
Is it possible to only show in users list those who are really Users?
In my users list, I get All my AD items (because I set my baseDN to the top of my AD) .