Make the mapping between Kerberos and LDAP configurable
!2405 (merged) introduces code that will automatically link LDAP identities to users who log in through Kerberos. However, the mapping between LDAP DN and Kerberos principal is hardcoded and may not be suitable for all setups. In particular, it won't work when:
- The Kerberos realm differs from the domain in the LDAP DN
- The LDAP UID differs from the Kerberos username
This covers the common case, but ut should be possible for users to specify how to get from a Kerberos principal to an LDAP DN (and vice-versa), as this will allow a greater range of setups to be supported.