IdentityServer3 - which for ActiveDirectory: MembershipReboot / AspNetIdentity / UserService

I hope the following question makes sense:

• I manage my users in ActiveDirectory.
• I authenticate them via IdentityServer3.
• I authorize the APIs via the AD groups that the user is in (acting as security roles).

How should I set up IdentityServer3:

1. Must I use my own custom UserService to access ActiveDirectory?
2. and does that replace the MembershipReboot / AspNetIdentity support (or am I misunderstanding what the UserService is)?
3. Or should I use one of the MembershipReboot / AspNetIdentity packages from IdentityServer3, and somehow customize them to map to ActiveDirectory (and if so, how)?

Seems there is no "mapping" and should not be a mapping from AD to a membership-reboot or an aspidentity or the newer identity-reboot user stores. The reason seems to be simple: mr and aspid or ir are all ways to store the user information in a persistent way (some sort of database or repository), which is already done in AD.

The userservice is enough. It causes the ASP Identity objects to be populated, and the middleware to work as expected, calling user authentication, and user or resource authorization correctly and automatically, after the client calls are "decorated" with "Authorize" attributes or after returning from the OP (the OpenID-Connect Provider) or from separate authorization or resource providers, in security calls.

Answer update: Now in IdentityServer4 the UserService has been deprecated and instead you use IResourceOwnerPasswordValidator.

See here for working code and a detailed explanation, in the answer after the accepted one (vote it up please) IdentityServer4 register UserService and get users from database in asp.net core