LDAP Group Mapping Issues in Ansible Automation Platform 2.5: The Lowercase DN Gotcha

If you’re running into frustrating issues trying to map LDAP groups in Ansible Automation Platform 2.5, you’re not alone.

Many users have found that LDAP authentication works just fine… but mapping users to roles based on group membership fails mysteriously—especially if you’re using Microsoft Active Directory (AD). Let’s break down the issue and how to fix it.

The Issue

In AAP 2.5:

• You’re authenticating users against Active Directory via LDAP.
• You’re attempting to map AD group membership to roles (like superuser, auditor, etc.).
• Authentication is successful, but users don’t get the roles you expect from group mappings.

✅ The Fix

Turns out, AAP 2.5 requires the full DN (Distinguished Name) to be lowercase for group mappings to work.

✅ This works:

"Groups": "cn=superusers,ou=groups,dc=example,dc=com"

❌ This fails:

"Groups": "CN=superusers,OU=Groups,DC=exAmple,DC=com"

Even though those two look functionally identical in AD—they’re not parsed the same way by AAP 2.5.

Root Cause

In previous versions of AAP, casing wasn’t enforced. But in version 2.5:

• All group mapping DNs must be in lowercase.
• Your group type must be set correctly.

If either is incorrect, mapping will silently fail.

Example Working Mapping

"Authentication mapping": "superuser",
"Name": "LDAP_superuser_map",
"Trigger": "groups",
"Operation": "or",
"Groups": "cn=superusers,ou=groups,dc=example,dc=com"

Article Summary

If your LDAP group mappings just stopped working after upgrading to AAP 2.5—this is likely why. A few lowercase characters can save you hours of debugging.

Tip: Always double-check your group DNs for lowercase and verify your group type settings after upgrades!