Directory Emulator in development environment bypasses authentication

[acharseth]

How to set up an emulated developer environment was answered here: #586
When I set up an emulated LDAP environment based on this all authentication get bypassed, in the sense that any password is accepted. I asked about this in #586 but don't feel I got an answer I could understand, so I repeat the question here in a new thread.

In the AuthServiceProvider I have set up a boot method like this:

    /**
     * Register any authentication / authorization services.
     */
    public function boot(): void
    {
        $this->registerPolicies();

        Fortify::authenticateUsing(function ($request) {
            $isDevEnv=(config('app.env')=='development');
            if ($isDevEnv) {
                if ($user = User::where('samaccountname', $request->userid)->first()) {
                    $userId=$user->samaccountname[0];
                    self::uaUidLog(LogType::Info, __CLASS__, $userId, "Found user. Acting as this (emulator)");
                    Container::getDefaultConnection()->actingAs($user);
                }
                else {         
                    $reqUser=$request->userid;
                    self::uaUidLog(LogType::Alert, __CLASS__, $reqUser, "Did not find user!");
                }
            }
            
            $validated = Auth::validate([
                'samaccountname' => $request->userid,
                'password' => $request->password, 

                'fallback' => [
                    'userid' => $request->userid,
                    'password' => $request->password,                   
                ],
                
            ]);
            $reqUser=$request->userid;
            Log::info("validated=$validated");
            return $validated ? Auth::getLastAttempted() : null;
        });
    }

I am using a seeder which creates my user in the emulated LDAP, sqlite:

...
$user=LdapUser::create([
            'cn' => 'My Name',
            'samaccountname' => 'userid',          
            'mail' => 'My email address', 
            'password' => 'secret',  
        ]);

So the questions is basically how can I set this up to not bypass authentication?

I am guessing that the issue is with Container::getDefaultConnection()->actingAs($user);, this is what makes the bypass possible?
I also notice in the log that $validated is set to 1, which, in my opinion, it should not have been set to since I entered a random password?