diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolver.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolver.java
index 08d3ea8bc1d..3494d7e1b2b 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolver.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolver.java
@@ -110,7 +110,7 @@ class SearchGroupsResolver implements GroupsResolver {
 
     private void getUserId(String dn, Collection<Attribute> attributes, LDAPInterface connection,
                            TimeValue timeout, ActionListener<String> listener) {
-        if (isNullOrEmpty(userAttribute)) {
+        if (isNullOrEmpty(userAttribute) || userAttribute.equals("dn")) {
             listener.onResponse(dn);
         } else if (attributes != null) {
             final String value = attributes.stream()
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java
index 3e884132d61..c1e5e136739 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java
@@ -21,11 +21,14 @@ import org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
 import org.junit.After;
 
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.iterableWithSize;
 
 public class SearchGroupsResolverInMemoryTests extends LdapTestCase {
 
+    private static final String WILLIAM_BUSH = "cn=William Bush,ou=people,o=sevenSeas";
     private LDAPConnection connection;
 
     @After
@@ -53,11 +56,7 @@ public class SearchGroupsResolverInMemoryTests extends LdapTestCase {
                 .build();
         final SearchGroupsResolver resolver = new SearchGroupsResolver(settings);
         final PlainActionFuture<List<String>> future = new PlainActionFuture<>();
-        resolver.resolve(connection,
-                "cn=William Bush,ou=people,o=sevenSeas",
-                TimeValue.timeValueSeconds(30),
-                logger,
-                null, future);
+        resolver.resolve(connection, WILLIAM_BUSH, TimeValue.timeValueSeconds(30), logger, null, future);
 
         final ExecutionException exception = expectThrows(ExecutionException.class, future::get);
         final Throwable cause = exception.getCause();
@@ -65,6 +64,53 @@ public class SearchGroupsResolverInMemoryTests extends LdapTestCase {
         assertThat(((LDAPException) cause).getResultCode(), is(ResultCode.TIMEOUT));
     }
 
+    /**
+     * Tests searching for groups when the "user_attribute" field is not set
+     */
+    public void testResolveWithDefaultUserAttribute() throws Exception {
+        connect(new LDAPConnectionOptions());
+
+        Settings settings = Settings.builder()
+                .put("group_search.base_dn", "ou=groups,o=sevenSeas")
+                .put("group_search.scope", LdapSearchScope.SUB_TREE)
+                .build();
+
+        final List<String> groups = resolveGroups(settings, WILLIAM_BUSH);
+        assertThat(groups, iterableWithSize(1));
+        assertThat(groups.get(0), containsString("HMS Lydia"));
+    }
+
+    /**
+     * Tests searching for groups when the "user_attribute" field is set to "dn" (which is special)
+     */
+    public void testResolveWithExplicitDnAttribute() throws Exception {
+        connect(new LDAPConnectionOptions());
+
+        Settings settings = Settings.builder()
+                .put("group_search.base_dn", "ou=groups,o=sevenSeas")
+                .put("group_search.user_attribute", "dn")
+                .build();
+
+        final List<String> groups = resolveGroups(settings, WILLIAM_BUSH);
+        assertThat(groups, iterableWithSize(1));
+        assertThat(groups.get(0), containsString("HMS Lydia"));
+    }
+
+    /**
+     * Tests searching for groups when the "user_attribute" field is set to a missing value
+     */
+    public void testResolveWithMissingAttribute() throws Exception {
+        connect(new LDAPConnectionOptions());
+
+        Settings settings = Settings.builder()
+                .put("group_search.base_dn", "ou=groups,o=sevenSeas")
+                .put("group_search.user_attribute", "no-such-attribute")
+                .build();
+
+        final List<String> groups = resolveGroups(settings, WILLIAM_BUSH);
+        assertThat(groups, iterableWithSize(0));
+    }
+
     private void connect(LDAPConnectionOptions options) throws LDAPException {
         if (connection != null) {
             throw new IllegalStateException("Already connected (" + connection.getConnectionName() + ' '
@@ -74,4 +120,11 @@ public class SearchGroupsResolverInMemoryTests extends LdapTestCase {
         this.connection = LdapUtils.privilegedConnect(() -> new LDAPConnection(options, ldapurl.getHost(), ldapurl.getPort()));
     }
 
-}
\ No newline at end of file
+    private List<String> resolveGroups(Settings settings, String userDn) {
+        final SearchGroupsResolver resolver = new SearchGroupsResolver(settings);
+        final PlainActionFuture<List<String>> future = new PlainActionFuture<>();
+        resolver.resolve(connection, userDn, TimeValue.timeValueSeconds(30), logger, null, future);
+        return future.actionGet();
+    }
+
+}