[SHORT UPDATE: My hypothesis was wrong]
[FULL UPDATE: Click here]
Seems like I always run into bugs w/ UCS's LDAP and AD integration. This time it appears that UCS has issues w/ associating users that are members of AD groups that contain more than 1000 members. I say 1000 members because in all likelyhood UCS's programming is calling this method:
In my case, I was referencing 'domain users' and granting read-only. Testing the users from the CLI interface would show that the user account would authenticate just fine like as follows:
test aaa server ldap nameofADserver usernametoTest cleartextpassword
user has been authenticated
In the end, the problem seems to be that UCS is unable to map the user to the group that grants the UCS role access because of the 1000 member limit.
Quite simply, map an AD group that has less than 1000 members to an UCS defined role. I've opened a TAC case for further investigation.