I am writing a Spring Boot application where I want to authenticate users against a LDAP server. I have seen solutions and API documentation where an Admin Users credentials are hardcoded in the code.
My question is: Why can't I simply use the credentials for the user that I am trying to authenticate in the first place? If the binding succeeds, I can confirm authentication and get the list of groups they belong to. Is there some good reason why I shouldn't do that?
Typically you want to have a service account, specific to the application:
This helps with managing access controls on the authoritative backend because you only have to create ACIs for the service accounts rather than each individual user. It's also more secure because you are granting permissions to a single account, and thus reducing the likelihood of mis-configuring a single user's permissions.
The reason LDAP examples often include admin users is because LDAP isn't always used for authentication (i.e., to determine if a particular username/password is valid), but sometimes for authorization only (i.e., to retrieve user's assigned groups, to determine if they should have access to the protected resource), when authentication part is done elsewhere (e.g., via Kerberos SSO). If your only use case is bind, then yes, you shouldn't need the admin user.
EDIT: one caveat, though - the LDAP server might have a restriction on binds (see this question, for example), in which case you'll need to have an admin user regardless.
