Leaking sensitive LDAP information and granting bruteforce authentication

In case of LDAP based authentication `AUTHENTICATION_TYPE: LDAP` Quay leaks sensitive information through replying with either:

• Invalid username 
• Invalid password

Following best practices we should not reveal if a username is valid and the password provided is wrong. 

visible in data/users/externalldap.py

            if not referral_dn:
                return (None, "Invalid username")            try:
                with LDAPConnection(
                    self._ldap_uri, referral_dn, password, self._allow_tls_fallback
                ):
                    pass
            except ldap.INVALID_CREDENTIALS:
                logger.debug("Invalid LDAP credentials")
                return (None, "Invalid password")        except ldap.INVALID_CREDENTIALS:
            logger.debug("Invalid LDAP credentials")
            return (None, "Invalid password") 

further more, the externalldap authentication lacks the verify_user method call ensuring that Quay doesn't grant brute force authentication.

This method is used in 

• data/model/user.py
• data/users/database.py
• oauth/services/github.py
• oauth/services/google.py
• oauth/login.py

but is missed in data/users/externalldap.py as well as a `DEBUG` log line showing that authentication has failed.

Additionally it would be nice, to include such stats to be exported in metrics and monitored accordingly through metrics services.