Properly decode user encrypted private keys

The field is prefixed by an ID in LDAP (separated from the key data by
a ':'), strip it before returning key data from the backend.

backend/ldap.go

 package backend
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -133,6 +134,15 @@ func NewLDAPBackend(config *LDAPConfig) (*ldapBackend, error) {
 	}, nil
 }
 
+// The encrypted private keys are a compound object in LDAP (in
+// "id:key" format), we can safely ignore the key id here.
+func decodePrivateKey(enc []byte) []byte {
+	if n := bytes.IndexByte(enc, ':'); n >= 0 {
+		return enc[n+1:]
+	}
+	return enc
+}
+
 func (b *ldapBackend) GetPrivateKeys(ctx context.Context, username string) ([][]byte, error) {
 	result, err := b.pool.Search(ctx, b.config.Query.searchRequest(username, b.config.Query.PrivateKeyAttr))
 	if err != nil {
@@ -142,7 +152,7 @@ func (b *ldapBackend) GetPrivateKeys(ctx context.Context, username string) ([][]
 	var out [][]byte
 	for _, ent := range result.Entries {
 		for _, val := range ent.GetAttributeValues(b.config.Query.PrivateKeyAttr) {
-			out = append(out, []byte(val))
+			out = append(out, decodePrivateKey([]byte(val)))
 		}
 	}
 	return out, nil