Limit Vault PKI cert common name to user

Attempting to use Vault PKI engine for user-based certificates, where the common name would be userX@domain.com, and users would auth via LDAP to issue the cert. This functionally works using a PKI role with allow_glob_domains = true and allowed_domains = *@domain.com.

How can we restrict this so LDAP user1 can only issue user1@domain.com, and LDAP user2 can only issue user2@domain.com?

Options seem to be:

  1. One role per user where allowed_domains = userX@domain.com. Poor solution, but could technically work if we develop a process to precreate roles for users. (hundreds to thousands)
  2. Sentinel policy to evaluate common_name against user identity. Seems possible if common_name can be read from the data, but not yet tested, and obviously requires Vault Enterprise.

Ideally this would be a natively supported use case in the role options, or by supporting templating in allowed_parameters. As far as I can tell, ACL templating is still only supported in path statements. If it was supported in allowed_parameters, something like this should work:

“common_name” = ["{{identity.entity.aliases.auth_ldap_a123b4c5.name}}@domain.com"]

Are there other options here? Do people use Vault PKI for user-based certificates?