You can log in through LDAP only when required_groups equals actual_groups

[guo3561101]

The log tells me that I can log in to LDAP only when required_groups equals actual_groups
required_groups= {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'}
actual_groups= {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'}

The following configuration does not allow login

backend_kwargs = {
"bind_dn": "cn=admin,dc=example,dc=cn",
"bind_password": "123",
"base_ou": "ou=People,dc=example,dc=cn",
"id_attr":"cn" ,
"group_dns": ["ou=People,dc=example,dc=cn"],
"group_pattern": "(&(objectClass=person)(&(cn={username})))",
"group_dns_check":"or",
"host": "ldap.example.cn",
"port": 389}

2022-05-13 07:34:54,293 ERROR [-] Unable to verify membership for user "st2users (
required_groups={'ou=people,dc=example,dc=cn'},
actual_groups={'cn=st2users,ou=people,dc=example,dc=cn'},
check_behavior=or)".

I have to change group_dns to "cn=st2users,ou=people,dc=example,dc=cn",so that I can log in successfully

Currently I can only add my LDAP authentication by adding group_dns
example: [
"cn=user1,ou=ops,ou=people,dc=example,dc=cn",
"cn=user2,ou=ops,ou=people,dc=example,dc=cn"
]
I can't find my user information without changing group-pattern

my ldap user dn = cn=user1,ou=ops,ou=People,dc=example,dc=cn

I can log in successfully only when group_dns equals my user DN