Limit Vault PKI cert common name to user

Attempting to use Vault PKI engine for user-based certificates, where the common name would be, and users would auth via LDAP to issue the cert. This functionally works using a PKI role with allow_glob_domains = true and allowed_domains = *

How can we restrict this so LDAP user1 can only issue, and LDAP user2 can only issue

Options seem to be:

  1. One role per user where allowed_domains = Poor solution, but could technically work if we develop a process to precreate roles for users. (hundreds to thousands)
  2. Sentinel policy to evaluate common_name against user identity. Seems possible if common_name can be read from the data, but not yet tested, and obviously requires Vault Enterprise.

Ideally this would be a natively supported use case in the role options, or by supporting templating in allowed_parameters. As far as I can tell, ACL templating is still only supported in path statements. If it was supported in allowed_parameters, something like this should work:

“common_name” = ["{{}}"]

Are there other options here? Do people use Vault PKI for user-based certificates?