I don't want to have a service account binding but want to use incoming user creds to bind. but they will only supply username/email not DN.
note:server does not allow anon bind

I read "Active Directory will let you also bind using userPrincipalName instead of DN, so it might be helpful to attempt to bind as username@domain.com instead of username. Either users can be instructed to log in this way or the application can add @domain.com part upon binding attempt if feasible."

You can use another RDN if the directory server supports this. Active Directory for example allows you to use the sAMAccountName as bind name.

You can't use the plain CN for binding. In that case, you need to run a LDAP search request first to resolve the username to a distinguishedName

user@domain worked well for active directory