OpenLDAP Groups not working as expected in Rancher 1.4

LDAP group permissions are only partially working with Rancher Environment Access Controls. If a Rancher user account is set to ‘Admin’, then Rancher can detect their LDAP group membership (tested through the drop down arrow in environment access controls). However, if the user account is set to ‘User’, then Rancher fails to determine LDAP group membership.

I’m simulataneously working with our LDAP support to see if our schema is different than what Rancher expects, but I want to ask here as well because it half works so maybe it’s a Rancher bug.

Other info:
We’ve been seeing this since 1.3 at least, but possible 1.2. Upgrading to 1.4 did not resolve the issue.

As it turns out, the problem was entirely related to our non-standard LDAP schema. The interaction that I thought I was seeing with Rancher account roles (User vs Admin) was a complete red herring.