This should be added to the documentation. Finding this post seriously helped me after pulling my hair out!
"If you leave the user attribute blank, it uses the default setting for that kind of LDAP directory. In your case (MS Active Directory) this means we are using the 'cn' (common name) attribute. This is the name you see in the user listings in 'Active Directory Users and Computers', under the 'Name' column.
The problem with this attribute in Active Directory is that it's not globally unique, it's only unique inside a given "container" (organizational unit or folder, like 'Users'). This means you can actually have two (or more) users with the same 'cn' as long as they are in different OUs.
But Moodle needs each user to have a globally unique username, so if you have two (or more) users with the same 'cn', either you change the 'cn' (which I assume is not acceptable) or use a LDAP attribute that is guaranteed to be unique among all users.
The good news is that there's such an attribute: sAMAccountName (the username your users need to type to logon in Windows). The bad news is that any existing Moodle users that have been created so far using the LDAP auth plugin have the wrong username (unless their 'cn' and their 'sAMAccountName' attribute have the same value). And Moodle doesn't know how that the old username and the new username (once you change the user attribute setting) refer to the same user."