Feature Request: Support Flexible LDAP User Search Without OU-Specific Bind DN for Group Searching

[ab1g17]

Context:
When configuring LDAP authentication in InvenTree, environments with users distributed across multiple OUs (not a single OU) require the ability to bind to a service account for user/group searches while allowing authentication from any OU under the base domain (e.g., dc=domain,dc=com). Currently, this is achievable without group search by setting:

INVENTREE_LDAP_USER_DN_TEMPLATE = "" # Empty
INVENTREE_LDAP_BASE_DN = "dc=domain,dc=com"

This allows users to authenticate regardless of their OU, as the search starts at the base DN.

Problem:
Enabling group search forces the use of INVENTREE_LDAP_SEARCH_BASE_DN, which requires specifying a specific OU (e.g., ou=users,dc=domain,dc=com). This breaks compatibility with environments where users exist in arbitrary OUs under the base DN. Leaving INVENTREE_LDAP_USER_DN_TEMPLATE empty or omitting it does not work in this scenario, as the group search expects a constrained search path.

Request:

Allow INVENTREE_LDAP_SEARCH_BASE_DN to inherit the base domain (e.g., dc=domain,dc=com) when INVENTREE_LDAP_USER_DN_TEMPLATE is empty, enabling group searches across all OUs under the base DN.

Support binding to a service account (via INVENTREE_LDAP_BIND_DN and INVENTREE_LDAP_BIND_PASSWORD) while retaining the flexibility of searching the entire base DN for users and groups, without requiring an OU-specific path.

Example Desired Configuration:
Authenticate users from any OU under base DN :
INVENTREE_LDAP_USER_DN_TEMPLATE = ""
INVENTREE_LDAP_BASE_DN = "dc=domain,dc=com"

Bind to service account for group syncing :
INVENTREE_LDAP_BIND_DN = "cn=service-account,dc=domain,dc=com"
INVENTREE_LDAP_BIND_PASSWORD = "pass"

Search groups/users across entire base DN (no OU restriction) :
INVENTREE_LDAP_SEARCH_BASE_DN = "dc=domain,dc=com"

Why This Matters:

Enterprises often have users/groups distributed across multiple OUs (e.g., regional or departmental OUs).

Forcing an OU-specific SEARCH_BASE_DN creates unnecessary administrative overhead and limits flexibility.

The current workaround (disabling group sync) sacrifices functionality for compatibility.

Documentation Gap:
The behavior of leaving INVENTREE_LDAP_USER_DN_TEMPLATE empty to enable base DN-wide searches is undocumented. Clarifying this and extending it to group searches would greatly improve usability.

Additional Notes:
If this is already possible but I misconfigured my environment, guidance on resolving the conflict between group sync and OU-agnostic searches would be much appreciated!

Issue first reported in:
#8365 (comment)