ipa-kdb: do not fail if certmap rule cannot be added
    
    Currently if a certificate mapping and matching rule has a typo or is of
    an unsupported type the whole rule processing is aborted and the IPA
    certmap plugin works without any rules effectively disabling PKINIT for
    users. Since each rule would only allow more certificates for PKINIT it
    would be more user/admin friendly to just ignore the failed rules with a
    log message and continue with what is left or use the default rule if
    nothing is left.
    
    This change is done to add more flexibility to define new mapping and
    matching templates which are e.g. needed to cover changes planned by
    Microsoft as explained in
    https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>