Only trust .bind_user() with a non-empty password.

There are two reasons one migh call .bind_user(): you might want to
connect to an LDAP server and perform operations on that user's behalf,
or you might want to check whether a username and password pair are
valid. Unfortunately, if you give the password as an empty string, many
LDAP servers will grant you access as an anonymous user, regardless of
the username you ask for, so just because .bind_user() accepts
a username/password pair doesn't mean that's the correct password for
that user.

Therefore:

- I've added a warning to the bind_user() docstring.
- I've modified the `basic_auth_required()` decorator to guard against
  empty passwords.
- I've modified the various code examples to guard against empty
  passwords.