Add optional LDAP-backed PAP authentication in RADIUS auth pipeline

[Copilot]

Issue summary: users requested LDAP support for unified identity authentication. This PR introduces optional LDAP password verification in the existing auth flow with minimal surface-area change and preserves current local-auth behavior by default.

• Auth pipeline integration

  • Injects config_mgr into auth plugin metadata so validators can read runtime settings.
  • Keeps plugin architecture intact; no new auth flow or route layer introduced.

• LDAP support (PAP only)

  • Adds validatePasswordWithLDAP(...) helper in auth validators.
  • PAP now attempts LDAP bind-based verification when enabled; otherwise falls back to local password comparison.
  • CHAP remains local validation (LDAP bind requires cleartext password semantics not available in CHAP exchange).
  • Uses escaped LDAP filter substitution ({username}) to prevent LDAP filter injection.

• Config schema additions (sys_config)

  • radius.LdapEnabled
  • radius.LdapServer
  • radius.LdapBaseDN
  • radius.LdapUserFilter
  • radius.LdapBindDN
  • radius.LdapBindPassword
  • radius.LdapTimeoutSeconds

• Error semantics

  • LDAP failures return typed auth errors under MetricsRadiusRejectLdapError.
  • Distinguishes user-not-found vs multi-entry lookup outcomes for clearer ops diagnostics.

• Docs

  • README updated with LDAP configuration and scope clarification (PAP path).

Example (PAP validator precedence):

// LDAP takes precedence for PAP when enabled; local password comparison is used as fallback.
handled, err := validatePasswordWithLDAP(authCtx, requestPassword)
if handled {
    return err
}
if strings.TrimSpace(requestPassword) != password {
    return errors.NewPasswordMismatchError()
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>支持LDAP</issue_title>
<issue_description>希望支持LDAP，实现统一身份认证~有没有这个计划考虑？</issue_description>

<agent_instructions>全面分析需求可行性</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes 支持LDAP #199

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.