AMP LDAP accounts using sAMAccountName instead of distinguishedName - Authentication Fails

[DollarStoreCPU]

Bug Report

System Information

• Operating System : Debian GNU/Linux 12 (bookworm)
  Virtualization: kvm Operating System:
  Kernel: Linux 6.1.0-17-amd64 Architecture: x86-64 Hardware Vendor: QEMU Hardware Model: Standard PC i440FX + PIIX, 1996 Firmware Version: rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org

• AMP version and build date: AMP Release “Decadeus” v2.4.8, built 29/01/2024 18:40

• AMP Release Stream: Mainline

I confirm:

• [x] that I have searched for an existing bug report for this issue.
• [x] that I am using the latest available version of AMP.
• [x] that my operating system is up-to-date.

Symptoms

• What are you trying to do? Configure AMP to connect to my LDAP server
• What are you expecting to happen? AMP should query the LDAP server for a user using the sAMAccountName and then bind to the LDAP server using the distinguishedName as the bind DN.
• What is actually happening? ('Nothing' is not an acceptable answer!) AMP is using the sAMAccountName as the bind DN at the user authentication stage, causing an Insufficient Access (50) error.

Reproduction

1. Set up an LDAP server. I set up an Authentik LDAP outpost per Cooptonian's Youtube guide
2. Create an LDAP user and confirm the following 3 attributes exist and contain values: I will use IcanHazCheesburgr as my example: a. sAMAccountName: IcanHazCheesburgr b. distinguishedName: cn=IcanHazCheesburgr,ou=users,dc=ldap,dc=goauthentik,dc=io c. memberOf: cn=AMP_Users,ou=groups,dc=ldap,dc=goauthentik,dc=io
3. Configure AMP's LDAP section as follows:

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=http://localhost:8080/
Login.MetricsServerPort=12820
Login.UseLDAPLogins=True
Login.UseLDAP3=True
Login.AllowLocalUsersWithLDAP=False
Login.LDAPAuthDomain=ldap.goauthentik.io
Login.LDAP3Host=ldap.goauthentik.io
Login.LDAP3FilterDN=OU=users,DC=ldap,DC=goauthentik,DC=io
Login.LDAP3UserDN=cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io
Login.LDAPGroupPrefix=AMP_
Login.LDAPUserDomain=ldap.goauthentik.io
Login.LDAP3UsesSSL=False
Login.LDAPADPre2000=False
Login.LDAPStripDomainFromFilter=False
Login.LDAPQueryUsername=ldapservice
Login.LDAPQueryPassword=[redacted]

4. Wireshark the traffic going out of the AMP server.
5. Log into AMP Instance using an LDAP based account. I will use the same IcanHazCheesburgr account as previously described
6. Observe the following steps occur: a. The ldapservice account successfully binds to the LDAP server and performs the following ldap search (&(objectClass=user)(sAMAccountName=IcanHazCheesBurgr)) b. AMP tries to bind to the LDAP server using the sAMAccountName and fails, yielding an Insufficient Access (50) error.

[DollarStoreCPU]

What could help increase compatibility with multiple LDAP implementations while fixing this issue would be to add the ability to specify the user and group attributes in the config file