Indeed, you should only modify the activiti-ldap.properties file in the tomcat/lib directory, as this is loaded last from the classpath and after the properties file from within the exploded webapp was loaded.
Reviewing your properties file, I can see that this cannot work as is at the moment.
I see you set correctly
As you can see in the properties file in the comment above this property, for authentication to work properly, the synchronization part needs also to be enabled. So you should enable it by removing those comments and changing those properties to true and defining the crons:
# Enables full synchronization. With full sync, all user/groups will be checked whether they are valid or not.
# By default, runs at midnight, since this is quite a heavy operation.
# Full synchronization is needed because a partial synchronization cannot detect deletes of groups/users.
#ldap.synchronization.full.cronExpression=0 0 0 * * ?
# Enabled differential synchronization. This will only check the users/groups which are changes since last sync.
# A differential sync cannot detect deletes of users/groups. This is done by the full sync.
#ldap.synchronization.differential.cronExpression=0 0 */4 * * ?
Also I see that you only defined the LDAP URL, but the security principal and password are commented, which does not make much sense.
After a restart you can then login as admin and inspect, whether your users and groups have been synced in by going to activiti-app -> Identity Management -> Users. Only if you can see your expected users synced in there and existing there, you will be able to login with those if the rest of your configration is fine.