Comment 2 for bug 1537908

Correction, on further analysis of the code, you don't have to have enabled user auto-creation or sync in order to be affected by this bug. Before the LDAP auth plugin tries to authenticate a username and password, it connects to the server using the Mahara bind DN & password (or anonymously) and runs an LDAP search to try to find out the DN for the user's record.

At first this seems like an unnecessary step. Why not just construct the user's DN using the user context, the username attribute, and the username value? But, users may be stored in multiple contexts (there is a "recurse into subcontexts" setting), and the username attribute may not be part of the user's DN. So this actually is a necessary step. (Although potentially we could cache the DN somewhere in Mahara's database to save on this extra connection step.)