jumpCloud LDAP integration

Hi, we are trying to use our Jump Cloud LDAP as an auth method for vault I’m successful with using the users from the LDAP to connect to Vault but I can’t figure out how to assign policies to LDAP groups, every attempt I make to assign different policies to different groups is unsuccessful.
The results are confusing, either every user gets the same policy or neither of them gets any policy.

The process I used to set up the LDAP auth was as follow:

  1. I’ve enabled the LDAP auth method: vault auth enable ldap
  2. configured the LDAP
    vault write auth/ldap/config \
     url="ldaps://ldap.jumpcloud.com" \
     binddn="cn=<MY_USER>ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
     bindpass="<PASSWORD>" \
     userdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
     userattr="uid" \
     groupfilter="(objectclass=groupOfNames)" \
     groupdn="ou=Users,o=<ORG_ID>,dc=jumpcloud,dc=com" \
     groupattr="cn" \
     deny_null_bind=true \
     insecure_tls=false
    
  3. Create vault policy
    # Manage auth methods broadly across Vault
    path "auth/*"
    {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }
    
    # Create, update, and delete auth methods
    path "sys/auth/*"
    {
    capabilities = ["create", "update", "delete", "sudo"]
    }
    
    # List auth methods
    path "sys/auth"
    {
    capabilities = ["read"]
    }
    
    # Create and manage ACL policies
    path "sys/policies/acl/*"
    {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }
    
    # To list policies
    path "sys/policies/acl"
    {
    capabilities = ["list"]
    }
    
    # List, create, update, and delete key/value secrets
    path "secret/*"
    {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }
    
    # Create and manage secret engines broadly across Vault.
    path "sys/mounts/*"
    {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }
    
    # Read health checks
    path "sys/health"
    {
    capabilities = ["read", "sudo"]
    }
    
    path "sys/capabilities"
    {
    capabilities = ["create", "update"]
    }
    
    path "sys/capabilities-self"
    {
    capabilities = ["create", "update"]
    }
    
    # Create and manage identities and groups
    path "identity/*" { 
    capabilities = [ "create", "read", "update", "delete", "list" ]
    }
    
  4. Creat vault group (Admins) and use a ldap group (Admins) as the alias apply the policy to this group

The result in this scenario is that every user that logs in no meter if he belongs to the Admins group or not is assigned this policy.

The desired outcome will be that only the users that really belong to the Admin group in my LDAP will be assigned this policy and all other users will deny login or the very least will be dropped to the default policy