Fix OpenBao OIDC token exchange compatibility

src/internal/adapters/lldap/adapter.go

@@ -125,11 +125,16 @@ func (a *LDAPAdapter) LookupUser(ctx context.Context, username string) (*domain.
 	entry := result.Entries[0]
 	user := mapEntryToUser(entry)
 
-	// Run the canonical LDAP schema validator.
+	// Runtime login should not fail because a live directory entry is missing
+	// provisioning metadata such as cn/sn. Keep the warning visible for
+	// diagnostics, but return the resolved user so token issuance can proceed.
 	snap := validator.Snapshot{Users: []domain.User{user}}
 	report := validator.Validate(snap, validator.ModeProvisioning)
 	if !report.Passed {
-		return nil, fmt.Errorf("lldap: validation failed for user %q: %s", username, validationSummary(report))
+		if user.LDAPAttributes == nil {
+			user.LDAPAttributes = make(map[string]string)
+		}
+		user.LDAPAttributes["_validation_warning"] = validationSummary(report)
 	}
 
 	return &user, nil