i'm using id_provider=ldap ( in fact everything id/auth/access are all ldap )
as 513 was obviously 'Domain Users' ( not sure where the '200' gets
prefixed? ) I ended up adding local group 'domainusers' with gid = 200513
i suspect my group search base was too specific to pickup domain users ( trying to speed
up 'id -a' i have a tighter group_search_base ) - it's a large domain and
login can take 3-5 seconds to complete auth even with a more specific base