Detect LDAP misconfiguration and fail earlier

Currently supported LDAP backends accept dozens of configuration
options. Some options are only supported by one backend, but not
others. The current code doesn't check if supplied option is supported
or not by the actual backend.

Instead of curing the symptoms by spreading obfuscated checks across
the code base to detect and ignore the invalid configuration, cure the
disease: reject misconfiguration when supplied option is not supported
by the actual backend.

Example: RFC2307 backend doesn't accept ldap.accountMemberField

With this change, trying to supply it results in the error message:

  "LDAP backend doesn't support: ldap.accountMemberField"

The following error message is reported to the user:

  "Authentication unavailable at this time."

Change-Id: Ib82b5313dcaa892e41fd16482918e02a77381303

gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java

@@ -163,6 +163,7 @@ public class LdapRealm extends AbstractRealm {
       return null;
 
     } else {
+      checkBackendCompliance(n, v[0], Strings.isNullOrEmpty(d));
       return v[0];
     }
   }
@@ -186,6 +187,16 @@ public class LdapRealm extends AbstractRealm {
     }
   }
 
+  private static void checkBackendCompliance(String configOption,
+      String suppliedValue, boolean disabledByBackend) {
+    if (disabledByBackend && !Strings.isNullOrEmpty(suppliedValue)) {
+      String msg = String.format("LDAP backend doesn't support: ldap.%s",
+          configOption);
+      log.error(msg);
+      throw new IllegalArgumentException(msg);
+    }
+  }
+
   @Override
   public boolean allowsEdit(final Account.FieldName field) {
     return !readOnlyAccountFields.contains(field);