An option to sync LDAP sources partially

[sonroyaalmerol]

Is your feature request related to a problem? Please describe.
We've been trying out Authentik for a while now and we're currently looking to integrate it within our current setup. We have an existing OpenLDAP service and we've been using that as Authentik's primary source. Due to how our current infrastructure works, we can't really move our account creation process over to Authentik.

Our current workaround to avoid waiting for the scheduled sync is having a script for the account creation process which communicates with both the OpenLDAP service and Authentik. The script creates the actual account on the OpenLDAP service then triggers an LDAP sync to Authentik.

This works fine for our purposes. However, every LDAP sync triggers a full directory query to our OpenLDAP service. With the amount of users we have, it takes a lot longer than we would like.

Describe the solution you'd like
A REST API or a CLI flag to the existing ak ldap_sync would be ideal. The API/flag should allow a username input which would specify which user (or any filter options really) Authentik will attempt to sync from the LDAP source.

Describe alternatives you've considered
I tried looking for current solutions but haven't found anything that would work in our situation. If there is, please guide me in the right direction.

This is pretty much the most straightforward (and relatively simple to implement?) suggestion I can think of.

I would imagine implementing Keycloak's way of automatically fetching unknown LDAP users on login would be more complicated.

Thanks for your hard work!