Remove unnecessary String creation from password char[] (elastic/x-pack-elasticsearch#713)

This commit removes an unnecessary String creation from the char[] of a password and instead uses
a byte[] that is cleared after it is used to prevent the password bytes from sticking around in
memory longer than required.

Original commit: elastic/x-pack-elasticsearch@1154a68965

plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java

@@ -171,11 +171,14 @@ class LdapUserSearchSessionFactory extends SessionFactory {
                 listener.onResponse(null);
             } else {
                 final String dn = entry.getDN();
+                final byte[] passwordBytes = CharArrays.toUtf8Bytes(password.internalChars());
                 try {
-                    LdapUtils.privilegedConnect(() -> connectionPool.bindAndRevertAuthentication(dn, new String(password.internalChars())));
+                    LdapUtils.privilegedConnect(() -> connectionPool.bindAndRevertAuthentication(new SimpleBindRequest(dn, passwordBytes)));
                     listener.onResponse(new LdapSession(logger, connectionPool, dn, groupResolver, timeout, entry.getAttributes()));
                 } catch (LDAPException e) {
                     listener.onFailure(e);
+                } finally {
+                    Arrays.fill(passwordBytes, (byte) 0);
                 }
             }
         }, listener::onFailure));