diff --git a/changelog/16890.txt b/changelog/16890.txt
new file mode 100644
index 0000000000000..1a3657c249edc
--- /dev/null
+++ b/changelog/16890.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases
+```
diff --git a/go.mod b/go.mod
index 00e5fb6d96acd..db0681b5ea7fc 100644
--- a/go.mod
+++ b/go.mod
@@ -100,7 +100,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-cf v0.12.0
 	github.com/hashicorp/vault-plugin-auth-gcp v0.13.2
 	github.com/hashicorp/vault-plugin-auth-jwt v0.13.0
-	github.com/hashicorp/vault-plugin-auth-kerberos v0.7.2
+	github.com/hashicorp/vault-plugin-auth-kerberos v0.7.3
 	github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0
 	github.com/hashicorp/vault-plugin-auth-oci v0.11.0
 	github.com/hashicorp/vault-plugin-database-couchbase v0.7.0
diff --git a/go.sum b/go.sum
index 29c45dba1ab23..c9e5db91ef4e4 100644
--- a/go.sum
+++ b/go.sum
@@ -978,8 +978,8 @@ github.com/hashicorp/vault-plugin-auth-gcp v0.13.2 h1:rv8gBKYzFz9BD9pFRyrmfi46Bu
 github.com/hashicorp/vault-plugin-auth-gcp v0.13.2/go.mod h1:tHtTF/qQmrRrY5DEOxWxoW/y5Wk9VoHsBOC339RO3d8=
 github.com/hashicorp/vault-plugin-auth-jwt v0.13.0 h1:BeMC4ZnP8iwRgL8vInEvCICA6e+iiDtkmOdNYKg3aGQ=
 github.com/hashicorp/vault-plugin-auth-jwt v0.13.0/go.mod h1:+WL5kaq/0L5OROsA31X15U8yTIX4GTEv1rTLA9d15eo=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.7.2 h1:rtQ4aSr3vtAaQ8Al4p4ftZXgl47o+XyEbAR+mQNYaMs=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.7.2/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.7.3 h1:QumrPHn5n9iTaZScZwplqdnXoeMOrb3GJcwMweTmR3o=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.7.3/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0 h1:pONFgWz9hbcS1wFxPtQJYj9Mt/nzPVX1kw1DGv+92Ww=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0/go.mod h1:/hQF30guXWLcIUiTYsXoQ0dUTHspo0q30nLBr1RE+Lw=
 github.com/hashicorp/vault-plugin-auth-oci v0.11.0 h1:DrdccnGU8O28I1MIs21zmbYM2Nta7RLOAzozvDSX9h0=
diff --git a/website/content/api-docs/auth/kerberos.mdx b/website/content/api-docs/auth/kerberos.mdx
index e29bd609ce3eb..e5ad3dafa4144 100644
--- a/website/content/api-docs/auth/kerberos.mdx
+++ b/website/content/api-docs/auth/kerberos.mdx
@@ -39,6 +39,8 @@ for verifying inbound SPNEGO tokens.
   principal name when parsing the keytab file. For example when this is set to true,
   if a keytab has the service principal name `foo/localhost@example.com`, Vault
   will strip the service principal name to just be `foo@example.com`. 
+- `add_group_aliases` - When set to true, Vault will add any LDAP groups found for 
+  the user as group aliases.
 
 ### Sample Request
 
@@ -54,9 +56,10 @@ $ curl \
 
 ```json
 {
+  "add_group_aliases": false,
   "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==",
   "remove_instance_name": false,
-  "service_account": "vault_svc",
+  "service_account": "vault_svc"
 }
 ```
 
@@ -85,6 +88,7 @@ $ curl \
   "warnings": null,
   "wrap_info": null,
   "data": {
+    "add_group_aliases": false,
     "remove_instance_name": false,
     "service_account": "vault_svc"
   },