LDAP allow filters not dependant on username

[evlli]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Environment

Self-hosted

Version

2.43.4

Database

PostgreSQL

Database Version

No response

Describe the problem caused by this bug

zitadel's userfilter works way different from what I would typically expect, which is fine in itself.
the problem arises when trying to configure filters that aren't just depended on the username.
for example, enabled=TRUE might be a typical filter one would want to use.

To reproduce

enter anything but an attribute name into the userfilter

Screenshots

No response

Expected behavior

userfilters are an optional configuration to further restrict users.
the ID Attribute is already a required field for configuring an LDAP provider, filtering for ($id_attribute=$username) should be done automatically since you don't allow us to template the username into the filter ourselfs.

Operating System

No response

Relevant Configuration

No response

Additional Context

by appending )(enabled=TRUE to the last User ObjectClasses entry you can smuggle arbitrary filters into the query anyways, though I really really don't want to do this in production.

being able to configure a dedicated enable filter, f.ex userAccountControl:1.2.840.113556.1.4.803:=2 when using MS AD would be really nice, though probably out of scope here

consider renaming user filters to loginname attributes as it more accurately reflects the purpose and adding a proper user filter field where I can provide plain LDAP filters without any automagic.