ipa-kdb: handle cross-realm TGT entries when generating PAC
    
    For generating PAC we need to know SID of the object and a number of
    required attributes. However, trusted domain objects do not have these
    attributes. Luckily, IPA LDAP schema puts them under actual trust
    objects which have all the additional (POSIX) attributes.
    
    Refactor PAC generator to accept secondary LDAP entry and use that one
    to pull up required attributes. We only use this for trusted domain
    objects.
    
    Fixes: https://pagure.io/freeipa/issue/9083
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>