Using LDAP authentication, and the user is under OU's, it is not working.
Depending on the Policy configured, for example, if the default policy is "DENY", and Authorization is configured as GROUP - Selecting OU's, user will not be able to access Internet. The User will get the Access Denied page.
Another symptom you may notice from a packet capture is when LDAP does a compare request, the LDAP server responds with "No Such Attribute".
The problem is that an OU is a container and not a Group. The User must be a member of a Group.
With ProxySG, what can be defined for authorization is only LDAP Username or Groups or LDAP attributes.
Below are links that are useful for settings up LDAP Authentication and Authorization.