Fail early if LDAP fails authentication

This has to happen to not allow authentication with passwords of ghost
users.

aleksis/core/util/ldap.py

 """Utilities and extensions for django_auth_ldap."""
 
+from django.core.exceptions import PermissionDenied
+
 from django_auth_ldap.backend import LDAPBackend as _LDAPBackend
 
 
@@ -20,13 +22,13 @@ class LDAPBackend(_LDAPBackend):
         """
         user = ldap_user.authenticate(password)
 
+        if not user:
+            # Fail early and do not try other backends
+            raise PermissionDenied("LDAP failed to authenticate user")
+
         if self.settings.SET_USABLE_PASSWORD:
-            if user:
-                # Set a usable password so users can change their LDAP password
-                user.set_password(password)
-            else:
-                # Disable local password if authentication fails
-                user.set_unusable_password()
+            # Set a usable password so users can change their LDAP password
+            user.set_password(password)
             user.save()
 
         return user