In order to match the group's requirements, a certificate's subject dns must contain the same ou attribute types in the same order as defined in the memberCertificateDescription attribute.