Allow LDAP search without anonymous read #86
Description
There is currently no way to configure a DN to BIND when the ldap client is not acting on behalf of a particular user. This requires that the ldap server be configured to allow anonymous users to dump at least the group list, including membership.
As far as I can tell, the springboot convention would configure this with ldap.username and ldap.password. I think this would be set with managerDn(). Despite the name, there is not I think this could be any user with read permission for the necessary parts of the ldap database. (so it need not be an admin account) One perhaps relevant example.
fyi. By looking at the openldap server log, I can see that the sequence of operations is:
- BIND with the user provided through http basic auth
- UNBIND
- SEARCH do a groups search
What I would like to see happen if ldap.username is set
- BIND with a DN derived from the username provided through http basic auth
- UNBIND
- BIND with the "manager" DN
- SEARCH do a groups search