LDAP identity plugin passes authentication exceptions to the engine

[mboskamp]

Acceptance Criteria (Required on creation)

The LDAP identity plugin can perform a password check for a given user. If the LDAP server responds with an error, this error is never propagated back to the calling code. There should be a way to handle those exceptions as ProcessEngineExceptions.

Hints

This code performs the password check and handles the returned error.

Links

Breakdown

### Tasks
- [ ] https://github.com/camunda/camunda-bpm-platform/pull/3529
- [ ] https://github.com/camunda/camunda-docs-manual/pull/1487

[mboskamp]

Solution ideas

Option 1: Plugin config flag

Introduce a plugin configuration flag that controls whether an LdapAuthenticationException is silently caught or re-thrown in the password check method

Pros:

• Users of the LDAP identity plugin who are not interested in this feature will not be affected.

Cons:

• The password check API could also receive those exceptions. This is probably not a big deal, since the ProcessEngineException handling will still work here. Also, only users are affected that explicitly enable this functionality in the plugin.

~Option 2: Dedicated password check~

The webapps could use a different password check method than the Java API. This dedicated method would re-throw the LdapAuthenticationException.

Pros:

• Does not impact any other users
• Password check API is not affected
• We can handle the LdapAuthenticationException only in the webapps

Cons:

• Other identity plugins would also need to implement the new method, even if they don't intend to use it.

[mboskamp]

Decision:

We will go with solution 1: plugin config flag

• It only affects users who enable the new functionality.
• It is significantly easier to implement.