Differentiate between incoming search requests of the service account and the user

[fredreichbier]

We have a config option allow-search in the [ldap-proxy] section which enables forwarding of incoming search requests to the LDAP backend.

However, it would probably be nice to differentiate between the following two situations and to be able to enable only one of them:

• a user has been authenticated by privacyIDEA and performs a subsequent LDAP search
• a service user (whose DN is part of passthrough-binds) has been authenticated by the LDAP backend and performs a subsequent LDAP search

[fredreichbier]

Well, actually, we can differentiate the two situations, somewhat indirectly:

• If we set bind-service-account=true, allow-search=true and do not set up any DNs in passthrough-binds, we only allow situation (1) of above. What would we use a service account for anyway, if not for searching?
• If we set bind-service-account=false and allow-search=true, a user authentication against privacyIDEA will not result in a bind request being sent to the LDAP backend. User search requests are forwarded to the server, but will result in an error as the connection is unauthorized. This corresponds to only allowing situation (2) of above.

However, we could make the distinction more explicit.