I am implementing LDAP authentication using form_ldap_bind which supports the search_dn configuration option to dynamically generate the DN to use for the ldap_bind() check.

However in my case the DN's differentiate on more than the username for different users:
uid=foo,ou=External,ou=Employees,dc=example,dc=com vs. uid=bar,ou=Internal,ou=Employees,dc=example,dc=com

The LdapUserProvider in turn supports searching for users but then requires a password attribute to validate the authentication which isn't available in my case. LdapBindAuthenticationProvider also does not support a filter parameter (which might be useful here, but I am not an LDAP expert).

I wonder if we need another auth provider which is more flexible to find the relevant DN from the LDAP server before attempting to validate the password via ldap_bind() along the lines of:

ldapsearch -d 1 -w 'XXX' -H ldaps://example.com:636 -D "uid=sys,ou=Accounts,dc=example,dc=com" -b 'dc=example,dc=com' '(uid=foo)' dn