Default attribute mappings to the certificate for the imported LDAP object into PAM are:

Subject Name: distinguishedName

Subject Alternative Name: userPrincipalName

This works fine for Active Directory and MS Certificate Authority which is integrated in AD.

How to modify these mappings?

Release : All supported CA PAM versions as of October 2023

Component : PRIVILEGED ACCESS MANAGEMENT

Do modifications in Config / ... / LDAP / ... / Custom Field Mapping according to your needs.

For the changes to become effective it is required to best delete the previously imported LDAP group, alternatively it might be sufficient to refresh the LDAP group.

You should see various warnings (confirmations) "PAM-LDAP-022 User was moved ..." indicating the new mappings have become effective.