Use groupSearch.userAttributeForFilter during ActiveDirectory group searches

- Load the setting in the controller. - The LDAP auth code is shared between AD and LDAP, so no new changes there in this commit.
2023-05-31 11:17:40 -07:00 · 2023-05-31 11:17:40 -07:00 · 600d002a35
commit 600d002a35
parent 0a1f966886
2 changed files with 123 additions and 101 deletions
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@ -204,7 +204,7 @@ func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Filter() string {
 }

 func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) UserAttributeForFilter() string {
-	return ""
+	return g.groupSearch.UserAttributeForFilter
 }

 func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string {
@ -333,10 +333,11 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
 			UIDAttribute:      adUpstreamImpl.Spec().UserSearch().UIDAttribute(),
 		},
 		GroupSearch: upstreamldap.GroupSearchConfig{
-			Base:               spec.GroupSearch.Base,
-			Filter:             adUpstreamImpl.Spec().GroupSearch().Filter(),
-			GroupNameAttribute: adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(),
-			SkipGroupRefresh:   spec.GroupSearch.SkipGroupRefresh,
+			Base:                   spec.GroupSearch.Base,
+			Filter:                 adUpstreamImpl.Spec().GroupSearch().Filter(),
+			UserAttributeForFilter: adUpstreamImpl.Spec().GroupSearch().UserAttributeForFilter(),
+			GroupNameAttribute:     adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(),
+			SkipGroupRefresh:       spec.GroupSearch.SkipGroupRefresh,
 		},
 		Dialer: c.ldapDialer,
 		UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package activedirectoryupstreamwatcher
@ -149,20 +149,25 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 	now := metav1.NewTime(time.Now().UTC())

 	const (
-		testNamespace         = "test-namespace"
-		testName              = "test-name"
-		testResourceUID       = "test-uid"
-		testSecretName        = "test-bind-secret"
-		testBindUsername      = "test-bind-username"
-		testBindPassword      = "test-bind-password"
-		testHost              = "ldap.example.com:123"
-		testUserSearchBase    = "test-user-search-base"
-		testUserSearchFilter  = "test-user-search-filter"
-		testGroupSearchBase   = "test-group-search-base"
-		testGroupSearchFilter = "test-group-search-filter"
-		testUsernameAttrName  = "test-username-attr"
-		testGroupNameAttrName = "test-group-name-attr"
-		testUIDAttrName       = "test-uid-attr"
+		testNamespace   = "test-namespace"
+		testName        = "test-name"
+		testResourceUID = "test-uid"
+
+		testHost = "ldap.example.com:123"
+
+		testBindSecretName = "test-bind-secret"
+		testBindUsername   = "test-bind-username"
+		testBindPassword   = "test-bind-password"
+
+		testUserSearchBase             = "test-user-search-base"
+		testUserSearchFilter           = "test-user-search-filter"
+		testUserSearchUsernameAttrName = "test-username-attr"
+		testUserSearchUIDAttrName      = "test-uid-attr"
+
+		testGroupSearchBase                   = "test-group-search-base"
+		testGroupSearchFilter                 = "test-group-search-filter"
+		testGroupSearchUserAttributeForFilter = "test-group-search-filter-user-attr-for-filter"
+		testGroupSearchNameAttrName           = "test-group-name-attr"
 	)

 	testValidSecretData := map[string][]byte{"username": []byte(testBindUsername), "password": []byte(testBindPassword)}
@ -177,20 +182,21 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		Spec: v1alpha1.ActiveDirectoryIdentityProviderSpec{
 			Host: testHost,
 			TLS:  &v1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64Encoded},
-			Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testSecretName},
+			Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testBindSecretName},
 			UserSearch: v1alpha1.ActiveDirectoryIdentityProviderUserSearch{
 				Base:   testUserSearchBase,
 				Filter: testUserSearchFilter,
 				Attributes: v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{
-					Username: testUsernameAttrName,
-					UID:      testUIDAttrName,
+					Username: testUserSearchUsernameAttrName,
+					UID:      testUserSearchUIDAttrName,
 				},
 			},
 			GroupSearch: v1alpha1.ActiveDirectoryIdentityProviderGroupSearch{
-				Base:   testGroupSearchBase,
-				Filter: testGroupSearchFilter,
+				Base:                   testGroupSearchBase,
+				Filter:                 testGroupSearchFilter,
+				UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
 				Attributes: v1alpha1.ActiveDirectoryIdentityProviderGroupSearchAttributes{
-					GroupName: testGroupNameAttrName,
+					GroupName: testGroupSearchNameAttrName,
 				},
 				SkipGroupRefresh: false,
 			},
@ -213,13 +219,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		UserSearch: upstreamldap.UserSearchConfig{
 			Base:              testUserSearchBase,
 			Filter:            testUserSearchFilter,
-			UsernameAttribute: testUsernameAttrName,
-			UIDAttribute:      testUIDAttrName,
+			UsernameAttribute: testUserSearchUsernameAttrName,
+			UIDAttribute:      testUserSearchUIDAttrName,
 		},
 		GroupSearch: upstreamldap.GroupSearchConfig{
-			Base:               testGroupSearchBase,
-			Filter:             testGroupSearchFilter,
-			GroupNameAttribute: testGroupNameAttrName,
+			Base:                   testGroupSearchBase,
+			Filter:                 testGroupSearchFilter,
+			UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+			GroupNameAttribute:     testGroupSearchNameAttrName,
 		},
 		UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 		RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -252,7 +259,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			Reason:             "Success",
 			Message: fmt.Sprintf(
 				`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-				testHost, testBindUsername, testSecretName, secretVersion),
+				testHost, testBindUsername, testBindSecretName, secretVersion),
 			ObservedGeneration: gen,
 		}
 	}
@ -324,7 +331,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {

 	validBindUserSecret := func(secretVersion string) *corev1.Secret {
 		return &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace, ResourceVersion: secretVersion},
+			ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace, ResourceVersion: secretVersion},
 			Type:       corev1.SecretTypeBasicAuth,
 			Data:       testValidSecretData,
 		}
@ -417,7 +424,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretNotFound",
-							Message:            fmt.Sprintf(`secret "%s" not found`, testSecretName),
+							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -429,7 +436,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			name:           "secret has wrong type",
 			inputUpstreams: []runtime.Object{validUpstream},
 			inputSecrets: []runtime.Object{&corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace},
+				ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace},
 				Type:       "some-other-type",
 				Data:       testValidSecretData,
 			}},
@ -445,7 +452,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretWrongType",
-							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testSecretName),
+							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -457,7 +464,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			name:           "secret is missing key",
 			inputUpstreams: []runtime.Object{validUpstream},
 			inputSecrets: []runtime.Object{&corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace},
+				ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace},
 				Type:       corev1.SecretTypeBasicAuth,
 			}},
 			wantErr:            controllerlib.ErrSyntheticRequeue.Error(),
@ -472,7 +479,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Status:             "False",
 							LastTransitionTime: now,
 							Reason:             "SecretMissingKeys",
-							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testSecretName),
+							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
 						tlsConfigurationValidLoadedTrueCondition(1234),
@ -555,13 +562,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -624,13 +632,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: "sAMAccountName",
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     "sAMAccountName",
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -696,13 +705,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -725,7 +735,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Reason:             "Success",
 							Message: fmt.Sprintf(
 								`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-								"ldap.example.com", testBindUsername, testSecretName, "4242"),
+								"ldap.example.com", testBindUsername, testBindSecretName, "4242"),
 							ObservedGeneration: 1234,
 						},
 						searchBaseFoundInConfigCondition(1234),
@ -745,7 +755,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Reason: "Success",
 					Message: fmt.Sprintf(
 						`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
-						"ldap.example.com", testBindUsername, testSecretName, "4242"),
+						"ldap.example.com", testBindUsername, testBindSecretName, "4242"),
 				},
 				SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
 			}},
@ -775,13 +785,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -838,13 +849,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -988,13 +1000,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1137,13 +1150,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1208,13 +1222,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              exampleDefaultNamingContext,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1477,9 +1492,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 						UIDAttribute:      "objectGUID",
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))",
-						GroupNameAttribute: "sAMAccountName",
+						Base:                   testGroupSearchBase,
+						Filter:                 "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))",
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     "sAMAccountName",
 					},
 					UIDAttributeParsingOverrides:   map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					GroupAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"sAMAccountName": groupSAMAccountNameWithDomainSuffix},
@ -1537,9 +1553,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 						UIDAttribute:      "objectGUID",
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               exampleDefaultNamingContext,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   exampleDefaultNamingContext,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1600,9 +1617,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 						UIDAttribute:      "objectGUID",
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1663,9 +1681,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 						UIDAttribute:      "objectGUID",
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               exampleDefaultNamingContext,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   exampleDefaultNamingContext,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1874,9 +1893,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 						UIDAttribute:      "objectGUID",
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               exampleDefaultNamingContext,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
+						Base:                   exampleDefaultNamingContext,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{
@ -1931,14 +1951,15 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					UserSearch: upstreamldap.UserSearchConfig{
 						Base:              testUserSearchBase,
 						Filter:            testUserSearchFilter,
-						UsernameAttribute: testUsernameAttrName,
-						UIDAttribute:      testUIDAttrName,
+						UsernameAttribute: testUserSearchUsernameAttrName,
+						UIDAttribute:      testUserSearchUIDAttrName,
 					},
 					GroupSearch: upstreamldap.GroupSearchConfig{
-						Base:               testGroupSearchBase,
-						Filter:             testGroupSearchFilter,
-						GroupNameAttribute: testGroupNameAttrName,
-						SkipGroupRefresh:   true,
+						Base:                   testGroupSearchBase,
+						Filter:                 testGroupSearchFilter,
+						UserAttributeForFilter: testGroupSearchUserAttributeForFilter,
+						GroupNameAttribute:     testGroupSearchNameAttrName,
+						SkipGroupRefresh:       true,
 					},
 					UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")},
 					RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{