There is attribute
Authorization:lab_DC01:UserDN CN=PC01,CN=Computers,DC=lab,DC=local
And it works when i specify this attribute as Group. But i need to authenticate all computers in AD group: CN=lab,OU=Grupy,DC=lab,DC=local. PC01 is in group lab.
I can bypass role pammping using condition UserDN | ENDS_WITH | CN=Computers,DC=lab,DC=local but i is important for me to use groups instead of containers.