directoryserver: leave it to client to decide totp check

initially, the idea was to make the server enforce it. this is more secure. however,
we have 3 kinds of clients - an external cloudron dashboard which needs totp,
an external cloudron app, which doesn't have totp and external apps that don't have totp either.

given that the directory server is IP restricted, this is a reasonable compromise until
we move wholesale to oidc.

a directoryserver setting like "enforce totp" also does not work since this policy will be
applied to all clients.

src/test/directoryserver-test.js

@@ -141,8 +141,8 @@ describe('Directory Server (LDAP)', function () {
             await users.enableTwoFactorAuthentication(admin.id, totpToken, auditSource);
         });
 
-        it('fails without 2fa', async function () {
-            const [error] = await safe(ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, admin.password));
+        it('fails with empty 2fa', async function () {
+            const [error] = await safe(ldapBind(`cn=${admin.id}+totptoken=,ou=users,dc=cloudron`, admin.password));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
             expect(error.lde_message).to.be('A totpToken must be provided');
         });
@@ -153,6 +153,10 @@ describe('Directory Server (LDAP)', function () {
             expect(error.lde_message).to.be('Invalid totpToken');
         });
 
+        it('fails with no 2fa', async function () {
+            await ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, admin.password);
+        });
+
         it('succeeds with valid 2fa', async function () {
             const totpToken = speakeasy.totp({ secret: twofa.secret, encoding: 'base32' });
             await ldapBind(`cn=${admin.email}+totpToken=${totpToken},ou=users,dc=cloudron`, admin.password);