Fix the way certificates are mapped to users

[felddy]

We are running into a bit of extra complexity dealing with the multivalue RDNs in our PIV certificate subjects.

Also, it looks like I was complicating the verification process by converting RDN sequences from x.500 order to LDAP order. This doesn't need to be done.

Also, I was creating FreeIPA cert mapping data in a less than optimal way. It can accept the base64 encoded cert blob and do it itself. But this requires that we match certificates differently.

See:

• https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html#some-notes-about-dns
• https://www.freeipa.org/page/V4/Certificate_Identity_Mapping

Most of the changes will occur in the verify-cn.py script. It will need to query the cert mapping data more intelligently so that multi-value RDNs within the cert mapping data are still matched regardless of string serialization.

🌶: DNs are not strings they are sequences of sets.

[felddy]

I've update the admin guide to reflect these changes:

https://github.com/cisagov/cool-system/blob/develop/guides/admin/users.md