ZF-5817: Can't use external email addresses as username with Zend_Auth_Adapter_Ldap
We were looking into authenticating our webapp users based on their email addresses via LDAP, but if you pass an arbitrary email address to a Zend_Auth_Adapter_Ldap:
WITH an accountDomainName set (and inferred accountCanonicalForm = 4), it treats the email address as a domain-qualified username and the authentication attempt fails for any user whose email domain is not accountDomainName - since the LDAP server is understood to be an authority only for accountDomainName, you get a domain mismatch.
WITHOUT an accountDomainName set (and inferred accountCanonicalForm = 2), it canonicalizes the "@" and everything after it right off the domain, and you end up with only the local part of the user's email address being passed to the LDAP server, which of course doesn't match if you're querying by email address with the following (correct) filter: "(&(objectClass=inetOrgPerson)(mail=%s))", as opposed to the default.
If you try to force accountCanonicalForm = 4 to include the domain without specifying an accountDomainName, it throws an exception.
To verify the behavior we were seeing, we tried using cn instead of mail as the RDN by setting cn= the email address minus its "@", and set the filter to "(&(objectClass=inetOrgPerson)(cn=%s))". This authenticated successfully.