Hi, for the ldap auth module, the default behavior to search for a users’ membership is to look the “cn” attribute value. “groupattr=cn”
I believe this could cause issues when more than one group have the same “cn” in different OU. This could result in giving credentials to unwanted users.
I’m trying to change the “groupattr” to “distinguishedName”, and specify group mapping using this attribute, but it doesn’t work. When looking at the debug logs, I still only see the “cn” part of the dn, and not the full dn (cn=sysadmins,ou=security,dc=mycompany,dc=local)
vault read auth/ldap/groups/cn=sysadmin,ou=security,dc=mycompany,dc=local
I would expect this to be working, but it’s not, maybe i’m not doing this right?