Support of dots in ldap login has introduce a security hole

IMHO, patch for XWIKI-2264 introduce some high security risk in ldap authentication.

It may allow two different ldap users to login has the same XWiki user. Therefore, ldap users named A.dmin, Ad.min or even A.d.m.i.n will log in as Admin and may receive Admin rights in a default Wiki. This may append when used with a xwiki.authentication.ldap.mode_group_sync=create.

The cause of this issue is that the XWiki username is used to match XWiki users and LDAP users. The usage of a constant bindDN and xwiki.authentication.ldap.validate_password=0 in earlier release also suffer this security hole in another way, but case is more unlikely to happen.

The risk can be mitigated in different way (not exclusive):
1) replacing space by another character in place of nothing, may reduced potential name collision, the character used should be user configurable, so an admin may chose something judicious.
2) generate validXWikiName for all unsupported username (dots seems to be the only one for now) and use the stored DN in XWiki to match users with ldap. This is not the case actually, and is the initial cause of this issue. This will really close hole, but require a larger fix.