Use groupSearch.userAttributeForFilter during ActiveDirectory group searches

- Load the setting in the controller. - The LDAP auth code is shared between AD and LDAP, so no new changes there in this commit.
2023-05-31 11:17:40 -07:00 · 2023-05-31 11:17:40 -07:00 · 600d002a35
commit 600d002a35
parent 0a1f966886
2 changed files with 123 additions and 101 deletions
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@ -204,7 +204,7 @@ func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Filter() string {
 }
 func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) UserAttributeForFilter() string {
-	return ""
+	return g.groupSearch.UserAttributeForFilter
 }
 func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string {
@ -335,6 +335,7 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
 		GroupSearch: upstreamldap.GroupSearchConfig{
 			Base:                   spec.GroupSearch.Base,
 			Filter:                 adUpstreamImpl.Spec().GroupSearch().Filter(),
 			UserAttributeForFilter: adUpstreamImpl.Spec().GroupSearch().UserAttributeForFilter(),
 			GroupNameAttribute:     adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(),
 			SkipGroupRefresh:       spec.GroupSearch.SkipGroupRefresh,
 		},
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 package activedirectoryupstreamwatcher
@ -152,17 +152,22 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		testNamespace   = "test-namespace"
 		testName        = "test-name"
 		testResourceUID = "test-uid"
-		testSecretName        = "test-bind-secret"
+
 		testHost = "ldap.example.com:123"
 		testBindSecretName = "test-bind-secret"
 		testBindUsername   = "test-bind-username"
 		testBindPassword   = "test-bind-password"
-		testHost              = "ldap.example.com:123"
+
 		testUserSearchBase             = "test-user-search-base"
 		testUserSearchFilter           = "test-user-search-filter"
 		testUserSearchUsernameAttrName = "test-username-attr"
 		testUserSearchUIDAttrName      = "test-uid-attr"
 		testGroupSearchBase                   = "test-group-search-base"
 		testGroupSearchFilter                 = "test-group-search-filter"
-		testUsernameAttrName  = "test-username-attr"
+		testGroupSearchUserAttributeForFilter = "test-group-search-filter-user-attr-for-filter"
-		testGroupNameAttrName = "test-group-name-attr"
+		testGroupSearchNameAttrName           = "test-group-name-attr"
 		testUIDAttrName       = "test-uid-attr"
 	)
 	testValidSecretData := map[string][]byte{"username": []byte(testBindUsername), "password": []byte(testBindPassword)}
@ -177,20 +182,21 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		Spec: v1alpha1.ActiveDirectoryIdentityProviderSpec{
 			Host: testHost,
 			TLS:  &v1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64Encoded},
-			Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testSecretName},
+			Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testBindSecretName},
 			UserSearch: v1alpha1.ActiveDirectoryIdentityProviderUserSearch{
 				Base:   testUserSearchBase,
 				Filter: testUserSearchFilter,
 				Attributes: v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{
-					Username: testUsernameAttrName,
+					Username: testUserSearchUsernameAttrName,
-					UID:      testUIDAttrName,
+					UID:      testUserSearchUIDAttrName,
 				},
 			},
 			GroupSearch: v1alpha1.ActiveDirectoryIdentityProviderGroupSearch{
 				Base:                   testGroupSearchBase,
 				Filter:                 testGroupSearchFilter,
 				UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 				Attributes: v1alpha1.ActiveDirectoryIdentityProviderGroupSearchAttributes{
-					GroupName: testGroupNameAttrName,
+					GroupName: testGroupSearchNameAttrName,
 				},
 				SkipGroupRefresh: false,
 			},
@ -213,13 +219,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		UserSearch: upstreamldap.UserSearchConfig{
 			Base:              testUserSearchBase,
 			Filter:            testUserSearchFilter,
-			UsernameAttribute: testUsernameAttrName,
+			UsernameAttribute: testUserSearchUsernameAttrName,
-			UIDAttribute:      testUIDAttrName,
+			UIDAttribute:      testUserSearchUIDAttrName,
 		},
 		GroupSearch: upstreamldap.GroupSearchConfig{
 			Base:                   testGroupSearchBase,
 			Filter:                 testGroupSearchFilter,
-			GroupNameAttribute: testGroupNameAttrName,
+			UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 			GroupNameAttribute:     testGroupSearchNameAttrName,
 		},
 		UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 		RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -252,7 +259,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			Reason:             "Success",
 			Message: fmt.Sprintf(
 				`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-				testHost, testBindUsername, testSecretName, secretVersion),
+				testHost, testBindUsername, testBindSecretName, secretVersion),
 			ObservedGeneration: gen,
 		}
 	}
@ -324,7 +331,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 	validBindUserSecret := func(secretVersion string) *corev1.Secret {
 		return &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace, ResourceVersion: secretVersion},
+			ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace, ResourceVersion: secretVersion},
 			Type:       corev1.SecretTypeBasicAuth,
 			Data:       testValidSecretData,
 		}
@ -417,7 +424,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretNotFound",
-							Message:            fmt.Sprintf(`secret "%s" not found`, testSecretName),
+							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -429,7 +436,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			name:           "secret has wrong type",
 			inputUpstreams: []runtime.Object{validUpstream},
 			inputSecrets: []runtime.Object{&corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace},
+				ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace},
 				Type:       "some-other-type",
 				Data:       testValidSecretData,
 			}},
@ -445,7 +452,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretWrongType",
-							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testSecretName),
+							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -457,7 +464,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			name:           "secret is missing key",
 			inputUpstreams: []runtime.Object{validUpstream},
 			inputSecrets: []runtime.Object{&corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace},
+				ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace},
 				Type:       corev1.SecretTypeBasicAuth,
 			}},
 			wantErr:            controllerlib.ErrSyntheticRequeue.Error(),
@ -472,7 +479,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretMissingKeys",
-							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testSecretName),
+							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -555,13 +562,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -624,12 +632,13 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
 						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     "sAMAccountName",
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
@ -696,13 +705,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -725,7 +735,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Reason:             "Success",
 							Message: fmt.Sprintf(
 								`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-								"ldap.example.com", testBindUsername, testSecretName, "4242"),
+								"ldap.example.com", testBindUsername, testBindSecretName, "4242"),
 							ObservedGeneration: 1234,
 						},
 						searchBaseFoundInConfigCondition(1234),
@ -745,7 +755,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Reason: "Success",
 					Message: fmt.Sprintf(
 						`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-						"ldap.example.com", testBindUsername, testSecretName, "4242"),
+						"ldap.example.com", testBindUsername, testBindSecretName, "4242"),
 				},
 				SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
 			}},
@ -775,13 +785,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -838,13 +849,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -988,13 +1000,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1137,13 +1150,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1208,13 +1222,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1479,6 +1494,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))",
 						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     "sAMAccountName",
 					},
 					UIDAttributeParsingOverrides:   map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
@ -1539,7 +1555,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   exampleDefaultNamingContext,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1602,7 +1619,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1665,7 +1683,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   exampleDefaultNamingContext,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1876,7 +1895,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   exampleDefaultNamingContext,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1931,13 +1951,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
 						Base:                   testGroupSearchBase,
 						Filter:                 testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 						GroupNameAttribute:     testGroupSearchNameAttrName,
 						SkipGroupRefresh:       true,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},