A suffix is defined in the mapping tree and points to a backend implementin this suffix.

In the backend is a nsslapd-suffix attribute, which is multivalued and is mainained in a be_suffixlist.

But this handling id flawed in several ways. Probably once a backend was supposed to contain multiple suffixes, but this no longer works - and we should keep the 1:1 relationship and correct errors.

1] if the dse.ldif contains multiple nsslaps-suffix attributes only the first is used, the others ar ignored silently. The attempt to add another value via ldapmodify is rejected with err=53

2] more severe: the nsslapd-suffix attribute can have any value, there is no check that it matches the suffix in the mapping tree, so it is possible to have a suffix "dc=example,dc=com" pointing to the backend "userroot", but in the backend definition the nsslapd-suffix attr can be "o=tralalala" - and it seem to work, even if the calls to slapi_be_issuffix() return the unexpected result - these calls need extra investigation.

What to do:
- clearly document the "one backend - one suffix" rule
- reject multivalued configs with specific error message
- change implementation from be_suffixlist to be_suffix
- check that suffix in mapping tree and backend match