Our LDAP support had a regression a while back that prevented importing

a user on demand when entering their username in a list of reviewers.

This was due to a contribution that added required arguments (the

LDAP connection and the base user DN) to the get_or_create_user()

method. The expectation in the patch was that this would only be called

by authenticate(), which wasn't true.
To fix this, authenticate() itself was split up a bit. The connection

creation and the user DN query code have been split into reusable

functions, which both authenticate() and get_or_create_user() both

use. get_or_create_user() still allows the connection and base user

DN to be provided, but they're now optional and will be looked up if

needed.
While here, I cleaned up much of the LDAP support. The errors are now a

lot more clear and useful, styling has been fixed, and the whole class

is fully documented.
Unit tests have also been added to ensure that this does not regress and

that behavior does not unexpectedly change.

Unit tests pass.
Tested authenticating users against a real LDAP server.
Tested adding users (ones in the existing DB, ones not in the DB but in

LDAP, and ones in neither) to a review request. Verified that the users

were looked up and created when needed.
Tested that the error messages seemed reasonable.