refactor(ldap): use DialURL instead of deprecated Dial/DialTLS

ldap.Dial and ldap.DialTLS are deprecated in go-ldap/ldap/v3. Switch to
ldap.DialURL which is the recommended API. Also use fmt.Errorf with %w
for proper error wrapping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldap.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/amoghe/go-crypt"
@@ -32,22 +33,27 @@ type SMTPConfig struct {
 }
 
 func (l LDAP) Connect() (*LDAPConn, error) {
+	addr := fmt.Sprintf("%s:%d", l.Host, l.Port)
+
+	var opts []ldap.DialOpt
 	if l.Ssl {
-		if c, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.Host, l.Port), &tls.Config{ServerName: l.Host}); err != nil {
+		opts = append(opts, ldap.DialWithTLSConfig(&tls.Config{ServerName: l.Host}))
-			return nil, errors.New("unable to establish LDAPS connection to " + fmt.Sprintf("%s:%d", l.Host, l.Port) + ": " + err.Error())
-		} else {
-			return &LDAPConn{
-				LDAP:       l,
-				connection: c,
-			}, nil
 	}
-	} else if c, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.Host, l.Port)); err != nil {
+
-		return nil, errors.New("unable to establish LDAP connection to " + fmt.Sprintf("%s:%d", l.Host, l.Port) + ": " + err.Error())
+	scheme := "ldap"
-	} else {
+	if l.Ssl {
+		scheme = "ldaps"
+	}
+
+	c, err := ldap.DialURL(fmt.Sprintf("%s://%s", scheme, addr), opts...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to establish %s connection to %s: %w", strings.ToUpper(scheme), addr, err)
+	}
+
 	if l.Starttls {
 		if err = c.StartTLS(&tls.Config{ServerName: l.Host}); err != nil {
 			c.Close()
-				return nil, errors.New("unable to StartTLS: " + err.Error())
+			return nil, fmt.Errorf("unable to StartTLS: %w", err)
 		}
 	}
 
@@ -56,7 +62,6 @@ func (l LDAP) Connect() (*LDAPConn, error) {
 		connection: c,
 	}, nil
 }
-}
 
 type LDAPConn struct {
 	LDAP