This is the only realm you have enabled? Do you see
access_granted for this user in the audit logs?
Currently, we only support the distinguished name of a ldap group or user for role mapping.
mail is not part of the DN so it cannot be used for role mapping, but it can be used to find the user in ldap.
Lets say we have a user with the following:
With the configuration you are using, the username to use for this user would be
firstname.lastname@example.org and the role mapping definition would be:
What happens is a search is executed to find a user that has the
mail attribute value that matches
email@example.com. Once this is found, the DN is retrieved and the user is authenticated via a bind. After the bind, groups are searched for and then roles are mapped based on the DNs of the groups and the DN of the user.