I’d try something like this in LDAP User filter (of course depending on how your users are created this might change the objectClass/objectCategory types)
(&(objectCategory=person)(objectClass=user)(uid=*)())
then you should be able to see all users and then use the role assignement to select
c=TT,ou=users,OU=directory,ou=whatever,ou=com
and assign those users to the role you need them to be in…