I do not have a flat hierarchy where users will be located and
as a result I would need a bind account which I cannot use as
a result of the unsecure password.
Some directories facilitate binds against a consistent format
string such as <login ID>@domain.com or DOMAIN\<login ID>
after which point the dn and attribute / group data can be
It appears as if the ldap-username-attribute imposes an
unnatural restriction by defining the bind DN in code and
not simply exposing the desired format string?
Is there any workaround for this anyone can think of?