Temporarily using allow_origins=['*'] to debug whether CORS is blocking LDAP login requests from VPN client. This is insecure for production. TODO: Fix subnet pattern matching in ALLOWED_ORIGINS configuration.