I have a new Draytek 3900 I'm configuring, and would like to use AD for SSL VPN auth.
FW is 1.2.1 which is latest as of today.

In User Management / LDAP/AD I've created a new profile in Regular mode with
IP of a DC on the LAN,
port 389,
CNI is cn,
Base DN cn=Test,dc=subdomain,dc=domain,dc=domainsuffix (where is Test is the OU in subdomain.domain.local)
Group DN blank (nothing)
Regular DN cd=vpntest,cn=test,dc=subdomain,dc=domain,dc=domainsuffix (a test user account in the local domain)
Regular Password password of above user account
logout after -1

in VPN and Remote Access \ PPP General Setup i've set user auth to LDAP in both PPTP and SSL VPN

I have nothing in VPN Profiles (doesn't seem to apply unless I'm using local accounts for auth).

when the VPN client then tries to connect they always get Access Denied because the username and/or password is invalid on the domain.

I've raised a support ticket with Draytek, but not had any useful response in over a week.... anyone got any ideas?

Got there in the end with it.
The group appears to have to be in the same ou as the base DN.
The issue was also confused by using the default option to use cn which is the users display name rather than SAMAccountName which is the users username.
also slightly confused by the fact that the AD default "Users" OU which is built-in is addressed as CN rather than ou - all other OUs that are manually created are OU.

Can you post your working config please just for reference.

Thanks