feat: Add Kerberos support

[Jabejixo]

Overview

Add Kerberos/SPNEGO Single Sign-On support for the LDAP connector, enabling seamless authentication for users in Active Directory/Kerberos environments without requiring password entry.

What this PR does / why we need it

This PR adds optional Kerberos (SPNEGO) authentication to the LDAP connector. When enabled, Dex can authenticate users via the Authorization: Negotiate header on the password login endpoint, completing the OIDC flow without rendering the password form.

Why we need it:

• Enterprise environments with Active Directory heavily rely on Kerberos for SSO
• Users on domain-joined machines can authenticate transparently without entering credentials
• Reduces friction and improves security by leveraging existing Kerberos infrastructure

Key features:

• Validates SPNEGO tokens using a service keytab
• Maps Kerberos principals to LDAP usernames (localpart, sAMAccountName, or userPrincipalName)
• Optional realm validation
• Configurable fallback to password form when SPNEGO fails
• Full compatibility with existing LDAP connector functionality

Configuration example:

connectors:
- type: ldap
  id: corp-ldap
  config:
    # ... existing LDAP config ...
    kerberos:
      enabled: true
      keytabPath: /etc/dex/krb5.keytab
      expectedRealm: EXAMPLE.COM
      usernameFromPrincipal: localpart
      fallbackToPassword: false

Special notes for your reviewer

• The SPNEGOAware interface in connector/spnego.go is designed to be generic, allowing other connectors to implement SPNEGO in the future if needed
• All Kerberos-specific code is isolated in connector/ldap/kerberos.go for maintainability
• Comprehensive test coverage included with mock validators

[nabokihms]

Overall, looks good. Some minor suggestions. And there are also conflicts.

[nabokihms]

All good from my side here. @sagikazarmark do you have any objections to merging this?