By the spec, a group `member` should always be an Distinguished Name, so, default filter for groupOfNames (`(%{groupattr}=%{user})`) is wrong. There should be an %{dn} placeholder for the user DN and `(%{groupattr}=%{dn})` should be the default filter.

I know that one can set %{ref} to `distinguishedName` in case of AD, or `entryDN` for other LDAP implementations, but those are not standard attributes, so, not guaranteed to be present for every LDAP Server implementation, whereas `member` should always be a DN.