Switch to really opaque ResourceIDs
The new ResourceID is really a database ID (in our case, a LDAP DN), and we have completely decoupled other request attributes like type and owner from it. Resource ownership checks are now delegated to the backend. Also change the backend CreateResource call to CreateResources, taking multiple resources at once, so we can perform user-level resource validation, and simplify the CreateUser code path.
Showing with 652 additions and 519 deletions