I had to fiddle with AD authentication to get it to work myself.
Here is what I have in my contains field
CN=Domain Admins,CN=Users,DC=mydomain,DC=com
Basically though, if a user does not have a role assigned to them they cannot log into Mailarchiva.
