No LDAP groups found in groupDN error

I’ve set up LDAP auth using FreeIPA as the source, with the following dumped from vault read auth/ldap/config:

Key                             Value
---                             -----
anonymous_group_search          false
binddn                          uid=vault_readonly,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com
case_sensitive_names            false
certificate                     -----BEGIN CERTIFICATE-----<snip>-----END CERTIFICATE-----
deny_null_bind                  true
discoverdn                      false
groupattr                       cn
groupdn                         cn=groups,cn=accounts,dc=my,dc=domain,dc=com
groupfilter                     (&(uid={{.Username}})(objectClass=person))
insecure_tls                    false
starttls                        false
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       n/a
url                             ldaps://
use_pre111_group_cn_behavior    false
use_token_groups                false
userattr                        uid
userdn                          cn=users,cn=accounts,dc=my,dc=domain,dc=com

When I try to login with vault login -method=ldap username=myuser I get the following message:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

WARNING! The following warnings were returned from Vault:

  * no LDAP groups found in groupDN
  'cn=groups,cn=accounts,dc=my,dc=domain,dc=com'; only policies from
  locally-defined groups available