Please make the authenticate() method time constant.

Because now you can enumate LDAP users with timing attacks:

• a failed login (bad password) with an existing user takes : 950-1100ms
• a failed login with an wrong user takes : 900-970ms

Thanks !