Let's say the following is in the HPEL or SystemOut log. This error usually appears in the node agent SystemOut.log when attempting to sync the node using the WebSphere admin console.

SECJ0373E: Cannot create credential for the user <null> due to failed validation of the LTPA token.
The exception is com.ibm.websphere.wim.exception.InvalidUniqueNameException

CWWIM0515E: The 'uid=jeremy.canfield,ou=People,dc=software,dc=eng,dc=us' entity is not in the scope of the 'defined' realm.

Refer to the article on how to assign roles to groups. You may also want to refer to Understanding Lightweight Third Party Authenticaiton (LTPA) in WebSphere.