Feature Request: Allow partial group name matches

[guo3561101]

The log tells me that I can log in to LDAP only when required_groups equals actual_groups

required_groups= {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'} 
actual_groups=  {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'}

The following configuration does not allow login

backend_kwargs = {
"bind_dn": "cn=admin,dc=example,dc=cn",
 "bind_password": "123", 
"base_ou": "ou=People,dc=example,dc=cn",
"id_attr":"cn" ,
"group_dns": ["ou=People,dc=example,dc=cn"],
"group_pattern": "(&(objectClass=person)(&(cn={username})))",
"group_dns_check":"or", 
"host": "ldap.example.cn", 
"port": 389}

2022-05-13 07:34:54,293 ERROR [-] Unable to verify membership for user "st2users (
required_groups={'ou=people,dc=example,dc=cn'},
actual_groups={'cn=st2users,ou=people,dc=example,dc=cn'},
check_behavior=or)".

I have to change group_dns to "cn=st2users,ou=people,dc=example,dc=cn",so that I can log in successfully

Currently I can only add my LDAP authentication by adding group_dns

example: [
"cn=user1,ou=ops,ou=people,dc=example,dc=cn",
"cn=user2,ou=ops,ou=people,dc=example,dc=cn"
]

I can't find my user information without changing group-pattern

my ldap user dn = cn=user1,ou=ops,ou=People,dc=example,dc=cn

I can log in successfully only when group_dns equals my user DN

[cognifloyd]

Right now, we do a full match of group names, include CN,OU,DC: https://github.com/StackStorm/st2-auth-ldap/blob/9d8b42d6582e6de5994b8c57945b3cee5b18c188/st2auth_ldap/ldap_backend.py#L178-L185 https://github.com/StackStorm/st2-auth-ldap/blob/9d8b42d6582e6de5994b8c57945b3cee5b18c188/st2auth_ldap/ldap_backend.py#L392-L397

This logic needs to be modified to allow for:

• groups within an OU (as described in this issue with example: ou=people,dc=example,dc=cn),
• or CN only matches (eg for AD where CN is globally unique).