I've found recently that the current Active Directory user source implementation can somewhat work in a pure LDAP environment, however, it's not very flexible.

Notably, the authentication method seems to simply send the {user prefix}{entered username}{user suffix} string to the server as the bind user, regardless of what the actual DN returned by the user search record contained.

This works if the users records are all contained in one 'folder' and have the username as part of their DN, but any deviation from this limits users from authenticating against the server.

I would recommend the search result from the user search config field get parsed for the DN, and then the DN gets sent to the server for authentication purposes. The prefix and suffix fields should not be required if the search result found a record. This may also require that the allowable characters in the gateway username field gets extended to include '=', and ',' as that user's DN would need to be explicitly declared in the config (since you can't query that user without logging in first)

By parsing the DN from the search result, this also extends options for including other fields such as email address or employee id as a valid 'username' field on login (since your search query can filter on anything).

I would love to see pure LDAP support so I can have a proper user directory without the need for a Windows environment at all.