What happens when they log in? Does the system say not logged in (and keep showing the login form) or does is open up the admin interface but no access to anything. Former implies an authentication issue, latter is an authorisation issue.
As a sysadmin impersonate the user and make sure they are the same user as what you linked (impersonate them and then look at their shadow asset ID under 'My Details'). Make sure the moniker/fully qaulified name there, including the bridge id, is identical to the one you used to assign permissions.
Issues we run in to with relative frequency:
We use mutliple LDAP bridges pointing to different parts of the same LDAP instance to restrict authentication, but all the bridges can still 'see' all the users. This means the same user can sometimes be found using several different bridge ID's. Matrix sees the same LDAP moniker but with different bridge ID's at the start as a different user. E.g.
1234:cn=Tim Davison,ou=Group1,o=ORG
8910:cn=Tim Davison,ou=Group1,o=ORG
May technically be the same user in our LDAP but are seen by Matrix as *different* users. When authenticating, Matrix will go by the first match it finds, in top-down order in the authentication systems area. So we have issues sometimes where we've assigned permissions to the 2nd shadow-asset in the example above, but when lggoing in Matrix finds the 1st (or vice cersa). Matrix sees them as different so doesn't pick up on the permissions we've applied.
Another issue we sometimes have (though less frequently) is issues with usernames specified in LDAP (this will largely depend on your LDAP software and business process). In ours multiple 'usernames' are allowed, and can include login names, email addresses, full names, etc (and not consistenly applied across the organisation). This is more an issue with common names, like John Smith. So again. get the user to login and check their 'My Details' section, make sure the moniker is identical to the one you are using. Usually where there's a name clash they will need to insert a middle initial to uniquely identify them. To resolve I usually have to check in the LDAP system what usernames are actually available for that user, and then tell them which one to use that will uniquely identify them.
Lastly, but possibly most difficult to identify, if you are manually typing the user moniker into the fields when linking etc, be very careful of spaces. LDAP allows spaces in the moniker without a problem, but Matrix will see them as different users. E.g. (this is an actual problem we had - took me hours of pain to track it down):
1234:cn=Johan Bach,ou=Group1,o=ORG
1234:cn=Johan Bach, ou=Group1, o=ORG
The only difference between them is the spaces. From memory I've even had problems with a space on the end (though this may be faulty memory on my part. Permissions had been applied using a combination of both the forms above. When I logged in as one of them (using the fully-qualified name) I got access to one set of assets, if I logged in as the other one I got the other set of assets. LDAP recognises them as the same (it ignores spaces) but Matrix sees them as different.
