ipa-kdb: simplify trusted domain parent search
    
    In terms of cross-forest trust parent domain is the root domain of
    the forest because we only have trust established with the forest root.
    
    In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
    cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
    forest root domain. This allows us to simplify logic of finding
    the parent domain.
    
    For complex hierachical forests with more than two levels of
    sub-domains, this will still be true because of the forest trust:
    as forest trust is established to the forest root domain, any
    communication to any sub-domain must traverse forest root domain's
    domain controller.
    
    Note that SSSD also generated incorrectly CA paths information
    for forests with non-hierarchical tree-roots. In such cases
    IPA KDC got confused and mistakenly assumed direct trust to the
    non-hierarchical tree-root instead of going through the forest
    root domain. See https://fedorahosted.org/sssd/ticket/3103 for
    details.
    
    Resolves: https://fedorahosted.org/freeipa/ticket/5738
    Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>