[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)

* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review

1 files changed, 404 insertions, 129 deletions

diff --git a/internal/authentication/ldap_user_provider_test.go b/internal/authentication/ldap_user_provider_test.go
index b4c3ab6e2..4036415f7 100644
--- a/internal/authentication/ldap_user_provider_test.go
+++ b/internal/authentication/ldap_user_provider_test.go
@@ -19,19 +19,22 @@ func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL: "ldap://127.0.0.1:389",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL: "ldap://127.0.0.1:389",
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
 		Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
 		Return(nil)
 
-	_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
+	_, err := ldapClient.connect("cn=admin,dc=example,dc=com", "password")
 
 	require.NoError(t, err)
 }
@@ -43,19 +46,22 @@ func TestShouldCreateTLSConnectionWhenSchemeIsLDAPS(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL: "ldaps://127.0.0.1:389",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL: "ldaps://127.0.0.1:389",
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		DialTLS(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389"), gomock.Any()).
+		DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
 		Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
 		Return(nil)
 
-	_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
+	_, err := ldapClient.connect("cn=admin,dc=example,dc=com", "password")
 
 	require.NoError(t, err)
 }
@@ -65,26 +71,30 @@ func TestEscapeSpecialCharsFromUserInput(t *testing.T) {
 	defer ctrl.Finish()
 
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
-	ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL: "ldaps://127.0.0.1:389",
-	}, mockFactory)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL: "ldaps://127.0.0.1:389",
+		},
+		nil,
+		mockFactory)
 
 	// No escape
-	assert.Equal(t, "xyz", ldap.ldapEscape("xyz"))
+	assert.Equal(t, "xyz", ldapClient.ldapEscape("xyz"))
 
 	// Escape
-	assert.Equal(t, "test\\,abc", ldap.ldapEscape("test,abc"))
-	assert.Equal(t, "test\\5cabc", ldap.ldapEscape("test\\abc"))
-	assert.Equal(t, "test\\2aabc", ldap.ldapEscape("test*abc"))
-	assert.Equal(t, "test \\28abc\\29", ldap.ldapEscape("test (abc)"))
-	assert.Equal(t, "test\\#abc", ldap.ldapEscape("test#abc"))
-	assert.Equal(t, "test\\+abc", ldap.ldapEscape("test+abc"))
-	assert.Equal(t, "test\\<abc", ldap.ldapEscape("test<abc"))
-	assert.Equal(t, "test\\>abc", ldap.ldapEscape("test>abc"))
-	assert.Equal(t, "test\\;abc", ldap.ldapEscape("test;abc"))
-	assert.Equal(t, "test\\\"abc", ldap.ldapEscape("test\"abc"))
-	assert.Equal(t, "test\\=abc", ldap.ldapEscape("test=abc"))
-	assert.Equal(t, "test\\,\\5c\\28abc\\29", ldap.ldapEscape("test,\\(abc)"))
+	assert.Equal(t, "test\\,abc", ldapClient.ldapEscape("test,abc"))
+	assert.Equal(t, "test\\5cabc", ldapClient.ldapEscape("test\\abc"))
+	assert.Equal(t, "test\\2aabc", ldapClient.ldapEscape("test*abc"))
+	assert.Equal(t, "test \\28abc\\29", ldapClient.ldapEscape("test (abc)"))
+	assert.Equal(t, "test\\#abc", ldapClient.ldapEscape("test#abc"))
+	assert.Equal(t, "test\\+abc", ldapClient.ldapEscape("test+abc"))
+	assert.Equal(t, "test\\<abc", ldapClient.ldapEscape("test<abc"))
+	assert.Equal(t, "test\\>abc", ldapClient.ldapEscape("test>abc"))
+	assert.Equal(t, "test\\;abc", ldapClient.ldapEscape("test;abc"))
+	assert.Equal(t, "test\\\"abc", ldapClient.ldapEscape("test\"abc"))
+	assert.Equal(t, "test\\=abc", ldapClient.ldapEscape("test=abc"))
+	assert.Equal(t, "test\\,\\5c\\28abc\\29", ldapClient.ldapEscape("test,\\(abc)"))
 }
 
 func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
@@ -92,10 +102,14 @@ func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
 	defer ctrl.Finish()
 
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
-	ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:          "ldaps://127.0.0.1:389",
-		GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))",
-	}, mockFactory)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:          "ldaps://127.0.0.1:389",
+			GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))",
+		},
+		nil,
+		mockFactory)
 
 	profile := ldapUserProfile{
 		DN:          "cn=john (external),dc=example,dc=com",
@@ -104,10 +118,10 @@ func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
 		Emails:      []string{"john.doe@authelia.com"},
 	}
 
-	filter, _ := ldap.resolveGroupsFilter("john", &profile)
+	filter, _ := ldapClient.resolveGroupsFilter("john", &profile)
 	assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john))", filter)
 
-	filter, _ = ldap.resolveGroupsFilter("john#=(abc,def)", &profile)
+	filter, _ = ldapClient.resolveGroupsFilter("john#=(abc,def)", &profile)
 	assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john\\#\\=\\28abc\\,def\\29))", filter)
 }
 
@@ -135,17 +149,20 @@ func TestShouldEscapeUserInput(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		UsersFilter:          "(|({username_attribute}={input})({mail_attribute}={input}))",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		Password:             "password",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			UsersFilter:          "(|({username_attribute}={input})({mail_attribute}={input}))",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			Password:             "password",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
 
 	mockConn.EXPECT().
 		// Here we ensure that the input has been correctly escaped.
@@ -164,17 +181,20 @@ func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		UsernameAttribute:    "uid",
-		UsersFilter:          "(&({username_attribute}={input})(&(objectCategory=person)(objectClass=user)))",
-		Password:             "password",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			UsernameAttribute:    "uid",
+			UsersFilter:          "(&({username_attribute}={input})(&(objectCategory=person)(objectClass=user)))",
+			Password:             "password",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+		},
+		nil,
+		mockFactory)
 
 	mockConn.EXPECT().
 		Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
@@ -206,20 +226,23 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		Password:             "password",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		UsersFilter:          "uid={input}",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
@@ -274,18 +297,21 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:               "ldap://127.0.0.1:389",
-		User:              "cn=admin,dc=example,dc=com",
-		Password:          "password",
-		UsernameAttribute: "uid",
-		UsersFilter:       "uid={input}",
-		AdditionalUsersDN: "ou=users",
-		BaseDN:            "dc=example,dc=com",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:               "ldap://127.0.0.1:389",
+			User:              "cn=admin,dc=example,dc=com",
+			Password:          "password",
+			UsernameAttribute: "uid",
+			UsersFilter:       "uid={input}",
+			AdditionalUsersDN: "ou=users",
+			BaseDN:            "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
@@ -331,20 +357,23 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		Password:             "password",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		UsersFilter:          "uid={input}",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
@@ -392,6 +421,209 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) {
 	assert.Equal(t, details.Username, "John")
 }
 
+func TestShouldUpdateUserPassword(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockFactory := NewMockLDAPConnectionFactory(ctrl)
+	mockConn := NewMockLDAPConnection(ctrl)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
+
+	modifyRequest := ldap.NewModifyRequest("uid=test,dc=example,dc=com", nil)
+	modifyRequest.Replace("userPassword", []string{"password"})
+
+	gomock.InOrder(
+		mockFactory.EXPECT().
+			DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
+			Return(mockConn, nil),
+		mockConn.EXPECT().
+			Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
+			Return(nil),
+		mockConn.EXPECT().
+			Search(gomock.Any()).
+			Return(&ldap.SearchResult{
+				Entries: []*ldap.Entry{
+					{
+						DN: "uid=test,dc=example,dc=com",
+						Attributes: []*ldap.EntryAttribute{
+							{
+								Name:   "displayname",
+								Values: []string{"John Doe"},
+							},
+							{
+								Name:   "mail",
+								Values: []string{"test@example.com"},
+							},
+							{
+								Name:   "uid",
+								Values: []string{"John"},
+							},
+						},
+					},
+				},
+			}, nil),
+		mockConn.EXPECT().
+			Modify(modifyRequest).
+			Return(nil),
+		mockConn.EXPECT().
+			Close(),
+	)
+
+	err := ldapClient.UpdatePassword("john", "password")
+
+	require.NoError(t, err)
+}
+
+func TestShouldCheckValidUserPassword(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockFactory := NewMockLDAPConnectionFactory(ctrl)
+	mockConn := NewMockLDAPConnection(ctrl)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
+
+	gomock.InOrder(
+		mockFactory.EXPECT().
+			DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
+			Return(mockConn, nil),
+		mockConn.EXPECT().
+			Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
+			Return(nil),
+		mockConn.EXPECT().
+			Search(gomock.Any()).
+			Return(&ldap.SearchResult{
+				Entries: []*ldap.Entry{
+					{
+						DN: "uid=test,dc=example,dc=com",
+						Attributes: []*ldap.EntryAttribute{
+							{
+								Name:   "displayname",
+								Values: []string{"John Doe"},
+							},
+							{
+								Name:   "mail",
+								Values: []string{"test@example.com"},
+							},
+							{
+								Name:   "uid",
+								Values: []string{"John"},
+							},
+						},
+					},
+				},
+			}, nil),
+		mockFactory.EXPECT().
+			DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
+			Return(mockConn, nil),
+		mockConn.EXPECT().
+			Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")).
+			Return(nil),
+		mockConn.EXPECT().
+			Close().Times(2),
+	)
+
+	valid, err := ldapClient.CheckUserPassword("john", "password")
+
+	assert.True(t, valid)
+	require.NoError(t, err)
+}
+
+func TestShouldCheckInvalidUserPassword(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockFactory := NewMockLDAPConnectionFactory(ctrl)
+	mockConn := NewMockLDAPConnection(ctrl)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+		},
+		nil,
+		mockFactory)
+
+	gomock.InOrder(
+		mockFactory.EXPECT().
+			DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
+			Return(mockConn, nil),
+		mockConn.EXPECT().
+			Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
+			Return(nil),
+		mockConn.EXPECT().
+			Search(gomock.Any()).
+			Return(&ldap.SearchResult{
+				Entries: []*ldap.Entry{
+					{
+						DN: "uid=test,dc=example,dc=com",
+						Attributes: []*ldap.EntryAttribute{
+							{
+								Name:   "displayname",
+								Values: []string{"John Doe"},
+							},
+							{
+								Name:   "mail",
+								Values: []string{"test@example.com"},
+							},
+							{
+								Name:   "uid",
+								Values: []string{"John"},
+							},
+						},
+					},
+				},
+			}, nil),
+		mockFactory.EXPECT().
+			DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
+			Return(mockConn, nil),
+		mockConn.EXPECT().
+			Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")).
+			Return(errors.New("Invalid username or password")),
+		mockConn.EXPECT().
+			Close(),
+	)
+
+	valid, err := ldapClient.CheckUserPassword("john", "password")
+
+	assert.False(t, valid)
+	require.EqualError(t, err, "Authentication of user john failed. Cause: Invalid username or password")
+}
+
 func TestShouldCallStartTLSWhenEnabled(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -399,21 +631,24 @@ func TestShouldCallStartTLSWhenEnabled(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		Password:             "password",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		UsersFilter:          "uid={input}",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-		StartTLS:             true,
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+			StartTLS:             true,
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
@@ -464,6 +699,36 @@ func TestShouldCallStartTLSWhenEnabled(t *testing.T) {
 	assert.Equal(t, details.Username, "john")
 }
 
+func TestShouldParseDynamicConfiguration(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockFactory := NewMockLDAPConnectionFactory(ctrl)
+
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "(&(|({username_attribute}={0})({mail_attribute}={0})({display_name_attribute}={0}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))",
+			GroupsFilter:         "(&(|(member={dn})(member={0})(member={1}))(objectClass=group))",
+			AdditionalUsersDN:    "ou=users",
+			AdditionalGroupsDN:   "ou=groups",
+			BaseDN:               "dc=example,dc=com",
+			StartTLS:             true,
+		},
+		nil,
+		mockFactory)
+
+	assert.Equal(t, "(&(|(uid={input})(mail={input})(displayname={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))", ldapClient.configuration.UsersFilter)
+	assert.Equal(t, "(&(|(member={dn})(member={input})(member={username}))(objectClass=group))", ldapClient.configuration.GroupsFilter)
+	assert.Equal(t, "ou=users,dc=example,dc=com", ldapClient.usersDN)
+	assert.Equal(t, "ou=groups,dc=example,dc=com", ldapClient.groupsDN)
+}
+
 func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -471,22 +736,27 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldap://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		Password:             "password",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		UsersFilter:          "uid={input}",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-		StartTLS:             true,
-		SkipVerify:           true,
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldap://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+			StartTLS:             true,
+			TLS: &schema.TLSConfig{
+				SkipVerify: true,
+			},
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
+		DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().
@@ -544,22 +814,27 @@ func TestShouldReturnLDAPSAlreadySecuredWhenStartTLSAttempted(t *testing.T) {
 	mockFactory := NewMockLDAPConnectionFactory(ctrl)
 	mockConn := NewMockLDAPConnection(ctrl)
 
-	ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
-		URL:                  "ldaps://127.0.0.1:389",
-		User:                 "cn=admin,dc=example,dc=com",
-		Password:             "password",
-		UsernameAttribute:    "uid",
-		MailAttribute:        "mail",
-		DisplayNameAttribute: "displayname",
-		UsersFilter:          "uid={input}",
-		AdditionalUsersDN:    "ou=users",
-		BaseDN:               "dc=example,dc=com",
-		StartTLS:             true,
-		SkipVerify:           true,
-	}, mockFactory)
+	ldapClient := NewLDAPUserProviderWithFactory(
+		schema.LDAPAuthenticationBackendConfiguration{
+			URL:                  "ldaps://127.0.0.1:389",
+			User:                 "cn=admin,dc=example,dc=com",
+			Password:             "password",
+			UsernameAttribute:    "uid",
+			MailAttribute:        "mail",
+			DisplayNameAttribute: "displayname",
+			UsersFilter:          "uid={input}",
+			AdditionalUsersDN:    "ou=users",
+			BaseDN:               "dc=example,dc=com",
+			StartTLS:             true,
+			TLS: &schema.TLSConfig{
+				SkipVerify: true,
+			},
+		},
+		nil,
+		mockFactory)
 
 	mockFactory.EXPECT().
-		DialTLS(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389"), gomock.Any()).
+		DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()).
 		Return(mockConn, nil)
 
 	mockConn.EXPECT().