feat: LDAP avatar support via lldap

- Create tinker-tickets service account in lldap (lldap_strict_readonly)
- Add /api/user_avatar.php: binds to lldap, fetches avatar attribute,
  caches JPEG to uploads/avatars/, returns 404 sentinel for missing photos
- Install php8.2-ldap on LXC 132 (beta) and LXC coding server
- Update layout_header.php: show lt-avatar with photo overlay + initials fallback
- Update TicketView.php: comment avatars use photo overlay pattern
- Add .lt-avatar-img / .lt-avatar-initials CSS for photo-over-initials layout
- Add LDAP_* config keys to config.php and .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/config.php

@@ -87,7 +87,18 @@ $GLOBALS['config'] = [
     // Default: America/New_York (EST/EDT)
     // Common options: America/Chicago (CST), America/Denver (MST), America/Los_Angeles (PST), UTC
     'TIMEZONE' => $envVars['TIMEZONE'] ?? 'America/New_York',
-    'TIMEZONE_OFFSET' => null // Will be calculated below
+    'TIMEZONE_OFFSET' => null, // Will be calculated below
+
+    // LDAP / lldap settings (for user avatar lookups)
+    'LDAP_HOST'        => $envVars['LDAP_HOST']        ?? '10.10.10.39',
+    'LDAP_PORT'        => (int)($envVars['LDAP_PORT']  ?? 3890),
+    'LDAP_BIND_DN'     => $envVars['LDAP_BIND_DN']     ?? 'uid=tinker-tickets,ou=people,dc=example,dc=com',
+    'LDAP_BIND_PW'     => $envVars['LDAP_BIND_PW']     ?? '',
+    'LDAP_BASE_DN'     => $envVars['LDAP_BASE_DN']     ?? 'dc=example,dc=com',
+    'LDAP_USER_BASE'   => $envVars['LDAP_USER_BASE']   ?? 'ou=people,dc=example,dc=com',
+    'LDAP_ENABLED'     => filter_var($envVars['LDAP_ENABLED'] ?? 'true', FILTER_VALIDATE_BOOLEAN),
+    'AVATAR_CACHE_DIR' => __DIR__ . '/../uploads/avatars',
+    'AVATAR_CACHE_TTL' => (int)($envVars['AVATAR_CACHE_TTL'] ?? 3600), // seconds
 ];
 
 // Set PHP default timezone