From 6fab5e9d1d33b4d02cf8c4c605ac8a1ca3dcc88c Mon Sep 17 00:00:00 2001
From: Louis Chan <louischan@oursky.com>
Date: Thu, 1 Aug 2024 12:54:54 +0800
Subject: [PATCH] Use dn instead of username

---
 docs/specs/ldap.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/specs/ldap.md b/docs/specs/ldap.md
index 9b38edf8b00..3986415e49c 100644
--- a/docs/specs/ldap.md
+++ b/docs/specs/ldap.md
@@ -34,7 +34,7 @@ When the connection URL starts with `ldaps://`, then Authgear will connect to th
 It is very common that before a LDAP client can run any [Search Operation](https://datatracker.ietf.org/doc/html/rfc4511#section-4.5),
 the LDAP client must perform [Bind Operation](https://datatracker.ietf.org/doc/html/rfc4511#section-4.2) first.
 
-Authgear supports Simple Bind with username and password.
+Authgear supports Simple Bind with DN and password, according to https://datatracker.ietf.org/doc/html/rfc4513#section-5.1.3
 
 ## Configuration of LDAP servers
 
@@ -86,14 +86,16 @@ secrets:
 - data:
     items:
     - name: default
-      username: authgear
+      # According to https://datatracker.ietf.org/doc/html/rfc4513#section-5.1.3,
+      # Simple Bind takes a DN and a password.
+      dn: cn=authgear,dc=example,dc=com
       password: secret1
   key: ldap
 ```
 
 - `items.name`: To associate a LDAP server in `authgear.yaml`.
-- `items.username`: Optional. The username Authgear uses to authenticate itself to the LDAP server. If it is not provided, then Authgear does not authenticates itself, and assumes the LDAP server allows anonymous requests.
-- `items.password`: Optional. The password Authgear uses to authenticate itself to the LDAP server. If `username` is provided, then `password` is required.
+- `items.dn`: Optional. The DN of the LDAP entry Authgear uses to authenticate itself to the LDAP server. If it is not provided, then Authgear does not authenticates itself, and assumes the LDAP server allows anonymous requests.
+- `items.password`: Optional. The password of the LDAP entry Authgear uses to authenticate itself to the LDAP server. If `dn` is provided, then `password` is required.
 
 ## Validation on the configuration