Add ldap user to Administrator Policy

I'm trying to add an LDAP user to the Chef-managed Administrator Policy.
When I add a member expression and choose "LDAP" the only thing that actually works is if I add a "*" wildcard. Which means any LDAP user can log in to chef-automate and have administrator access. This is obviously not what I want. If I try to add just a single user with their ldap ID, it does not work.

What am I missing here? I feel like it's probably something silly.