mandatory2fa: fix workflow when using external LDAP

* Always allow the mandatory 2fa setting to be saved
* Show warning for user if they have no 2fa setup and if not external 2fa
* If they get locked out anyway, they have to use CLI tool
* redirect for mandatory 2fa only if not external 2fa as well

src/test/user-directory-test.js

@@ -28,7 +28,7 @@ describe('User Directory', function () {
             let result = await tokens.listByUserId(admin.id);
             expect(result.length).to.be(1); // just confirm the token was really added!
 
-            await userDirectory.setProfileConfig({ mandatory2FA: true, lockUserProfiles: true }, auditSource);
+            await userDirectory.setProfileConfig({ mandatory2FA: true, lockUserProfiles: true }, { persistUserIdSessions: 'random' }, auditSource);
             result = await tokens.listByUserId(admin.id);
             expect(result.length).to.be(0); // should have been removed by mandatory 2fa setting change
         });