Better alternatives to env for LDAP configuration

Problem

At the moment LDAP is configured using two env variables:

• TT_LDAP_URL -- url pointing to a LDAP server (e.g. ldap://localhost:1389).
• TT_LDAP_DN_FMT -- a format string for DN (Distinguished Name) used during BIND (e.g. cn=$USER,ou=users,dc=example,dc=org).

This was never meant to be a final solution to the configuration problem. It's easy to implement, but one of its side effects has already backfired: we blacklist all TT_* env variables during picodata startup, which makes it harder to configure LDAP from the outside.

Thus, we should come up with a better way to configure LDAP authentication.

Possible solutions

• Status quo: maybe env variables are not that bad, after all? It's possible to rename them or pass via another set of env variables, like PICO_* -> TT_*. (thumbs down from @funbringer & @rosik)
  • Rename to PICO_* doesn't look adequate in pure tarantool codebase (it's not picodata per se).
  • Two sets of env variables look too complicated and will inhibit hot reload.
• Add config knobs to box.cfg (two variables, one per each current env)
  • This is the best proposal so far.
  • This will work even in R/O mode.
  • Admin will be able to change user's auth method even if LDAP is unavailable.
  • Seems to be more in line with how the rest of tarantool is configured.
• Anything else?

---

This issue is postponed. For the moment we'll add TT_LDAP_* to picodata's allowlist, but the proper solution is welcome.