LDAP: Restore an except clause and add test to cover it.

Most of the paths leading through this except clause were cut in
73e8bba37 "ldap auth: Reassure django_auth_ldap".  The remaining one
had no test coverage -- the case that leads to it had a narrow unit
test, but no test had the exception actually propagate here.  As a
result, the clause was mistakenly cut, in commit
8d7f961a6 "LDAP: Remove now-impossible except clause.", which could
lead to an uncaught exception in production.

Restore the except clause, and add a test for it.

zerver/tests/test_auth_backends.py

@@ -2174,6 +2174,13 @@ class TestLDAP(ZulipTestCase):
             with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
                 backend.django_to_ldap_username(email)
 
+    @override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
+    def test_login_failure_when_domain_does_not_match(self):
+        # type: () -> None
+        with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
+            user_profile = self.backend.authenticate(self.example_email("hamlet"), 'pass')
+            self.assertIs(user_profile, None)
+
     @override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
     def test_login_failure_due_to_wrong_subdomain(self):
         # type: () -> None

zproject/backends.py

@@ -433,10 +433,8 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
             return user_profile
         except Realm.DoesNotExist:
             return None
-        # ZulipLDAPException subclasses _LDAPUser.AuthenticationFailed
-        # and thus will automatically be caught and return None via
-        # django-auth-ldap's existing code, so we don't need to catch
-        # them here.
+        except ZulipLDAPException:
+            return None
 
     def get_or_create_user(self, username, ldap_user):
         # type: (str, _LDAPUser) -> Tuple[UserProfile, bool]