Search for an LDAP user that has both directly assigned Nexus roles, and roles assigned through external LDAP group mapping.
In the roles list for the user there is no distinction between the two types of roles. It's important to have this distinction, because they behave differently. For instance, you can't remove an external role mapping from a user (see screenshot).
As an example of how this could be done, in Nexus 2 these external roles would show as grayed out in the list.