Improve LDAP auth

[yachub]

The current ldap auth implementation currently only accepts a simple full distinguished name (DN) to bind in a loop of OU paths. This can be cumbersome when using Active Directory (or easily other providers) because the user's DN as the first part of the connection string is typically the display name.

Instead this could be improved by adding the ability to use a service account to bind_as and performing a search (recursive) for a user based on a specified attribute, then the actual bind is performed as the found user