Compare AD DNs case-insensitively when checking group membership

[jatoben]

Active Directory is case-insensitive but case-preserving for most attributes, including DNs.

When binding, the DN will be returned in the entry with the same case as you originally provided, regardless of how the DN is actually stored. But because the Active Directory group membership validator uses a case-sensitive comparison, it excludes the user from groups they should belong to:

domain.user?('user1').dn
=> "CN=User 1,CN=Users,DC=example,DC=com"

entry = strategy.domain('cn=user 1,cn=users,dc=example,dc=com').bind
entry.dn
=> "cn=user 1,cn=users,dc=example,dc=com"

groups = domain.groups(['all-users'])
groups.first.member
=> ["CN=User 1,CN=Users,DC=example,DC=com"]

validator = strategy.membership_validator.new(strategy, groups)
validator.perform(entry)
=> false

This PR makes the AD membership validator case-insensitive when comparing DNs.

/cc @github/enterprise-support @github/ldap @mtodd @shayfrendt

[mtodd]

👍 diff looks good. Will get this merged in this week.

[shayfrendt]

Yup, looks good to me as well. 🚀