Feature addition: LDAP alias dereference config

[jtfrey]

Overview

Implementation of LDAP alias directory dereferencing option in LDAP connector. Our LDAP tree uses baseline user directories (with passwords) under dc=[org] and per-system aliases to user directories granted access to [system] in ou=[system],dc=[org]. If DEX cannot dereference LDAP alias directories, it cannot properly lookup or bind to the user's base directory.

What this PR does / why we need it

For LDAP directory trees that include alias directories, the user/group searches will not dereference an alias directory to the target. The Go LDAP module defaults to never dereferencing alias directories.

The userSearch and groupSearch config objects now have a deref key-value pair that can take values: never (default), always, searching, finding inline with the LDAPv3 module's capabilities. Setting deref: always allows aliased user directories to be dereferenced to their target LDAP directory, and the DN and attributes of the target are returned instead of those of the alias directory.

One minor additional fixup: if neither the emailAttr nor the emailSuffix keys are defined on the userSearch config object, then the code will not object but fail authentication with the message:

time="2021-10-27T17:33:41Z" level=error msg="Failed to login user: ldap: entry \"uid=[uid],ou=People,dc=[org]\" missing following required attribute(s): [\"\"]"

A check of the config was added to abort startup if both emailAttr and emailSuffix are undefined in the userSearch config.

Special notes for your reviewer

Does this PR introduce a user-facing change?