refactor(ldap): use DialURL instead of deprecated Dial/DialTLS

ldap.Dial and ldap.DialTLS are deprecated in go-ldap/ldap/v3. Switch to
ldap.DialURL which is the recommended API. Also use fmt.Errorf with %w
for proper error wrapping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldap.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/amoghe/go-crypt"
@@ -32,30 +33,34 @@ type SMTPConfig struct {
 }
 
 func (l LDAP) Connect() (*LDAPConn, error) {
-	if l.Ssl {
-		if c, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.Host, l.Port), &tls.Config{ServerName: l.Host}); err != nil {
-			return nil, errors.New("unable to establish LDAPS connection to " + fmt.Sprintf("%s:%d", l.Host, l.Port) + ": " + err.Error())
-		} else {
-			return &LDAPConn{
-				LDAP:       l,
-				connection: c,
-			}, nil
-		}
-	} else if c, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.Host, l.Port)); err != nil {
-		return nil, errors.New("unable to establish LDAP connection to " + fmt.Sprintf("%s:%d", l.Host, l.Port) + ": " + err.Error())
-	} else {
-		if l.Starttls {
-			if err = c.StartTLS(&tls.Config{ServerName: l.Host}); err != nil {
-				c.Close()
-				return nil, errors.New("unable to StartTLS: " + err.Error())
-			}
-		}
+	addr := fmt.Sprintf("%s:%d", l.Host, l.Port)
 
-		return &LDAPConn{
-			LDAP:       l,
-			connection: c,
-		}, nil
+	var opts []ldap.DialOpt
+	if l.Ssl {
+		opts = append(opts, ldap.DialWithTLSConfig(&tls.Config{ServerName: l.Host}))
 	}
+
+	scheme := "ldap"
+	if l.Ssl {
+		scheme = "ldaps"
+	}
+
+	c, err := ldap.DialURL(fmt.Sprintf("%s://%s", scheme, addr), opts...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to establish %s connection to %s: %w", strings.ToUpper(scheme), addr, err)
+	}
+
+	if l.Starttls {
+		if err = c.StartTLS(&tls.Config{ServerName: l.Host}); err != nil {
+			c.Close()
+			return nil, fmt.Errorf("unable to StartTLS: %w", err)
+		}
+	}
+
+	return &LDAPConn{
+		LDAP:       l,
+		connection: c,
+	}, nil
 }
 
 type LDAPConn struct {