Use FreeIPA API to authenticate and authorize users instead of LDAP.

[felddy]

🗣 Description

• Replace LDAP calls with kerberized calls to the FreeIPA API.
• Compare user TLS certificates instead of just their CN.
• Modernize role.
• Upstream changes.

💭 Motivation and Context

We were running into issues with LDAP comparing DNs. Specifically multi-value RDNs. The order of AVAs with and RDNs is insignificant (is a set). There is no way to "normalize" a CN that will thwart our badging offices ability to scramble up our UIDs nicely.

See: https://frasertweedale.github.io/blog-redhat/posts/2019-05-28-a-dn-is-not-a-string.html

We are now configuring OpenVPN to pass the user's entire public certificate to us as a file. It is then sent to FreeIPA for matching.

As an added benefit we can now ask FreeIPA interesting questions not only about group membership, but multiple attributes that would deactivate an account, preventing login.

🧪 Testing

Tested in staging. Molecule tests.

📷 Screenshots (if appropriate)

🚥 Types of Changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [x] Breaking change (causes existing functionality to change)

✅ Checklist

• [x] My code follows the code style of this project.
• [x] My change requires a change to the documentation.
• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [ ] I have added tests to cover my changes.
• [x] All new and existing tests passed.
• [x] Big thanks to @jsf9k for fixing things I could not.