From 045dcbb46339a344a08f5a4c6fe961d16ffd1c28 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Mon, 7 Jul 2025 10:33:10 +0200
Subject: [PATCH] docs: describe AD user filter

---
 .../opa/pages/usage-guide/user-info-fetcher.adoc     | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc
index 1fb8cd04..3df72f41 100644
--- a/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc
+++ b/docs/modules/opa/pages/usage-guide/user-info-fetcher.adoc
@@ -110,6 +110,18 @@ spec:
 <7> The name of the SecretClass that knows how to create Kerberos keytabs trusted by Active Directory
 <8> The name of the SecretClass that contains the Active Directory's root CA certificate(s)
 
+
+When retrieving user groups from Active Directory, the user info fetcher filters by both `upn` as well as `sAmAccountName` using the following query:
+
+[source]
+----
+(&(objectClass=user)(|(userPrincipalName=<upn>@<realm>)(userPrincipalName=<upn>)(sAMAccountName=<upn>)))
+----
+
+where `<upn>` is the user principal name of the user and `<realm>` is the realm of the user.
+
+The above is to accommodate for different Active Directory user management strategies and is subject to change in future releases.
+
 [#backend-entra]
 === Entra