Add tests to verify this is enforced.

Cache

See merge request !5

It will cache User objects (not directly the resources yet), wrapping
another Backend object and invalidating the cache on every
state-changing API call.

Add a section on configuration.

Create "better" JSON, rather than just dumping binary strings in it.

Avoid implementing our own version of asp/userenckey/u2f serialization
and deserialization.

Search

Closes #6

See merge request !4

To support pattern searches, make the LDAP query templates understand
both "admin-provided input" and "user-provided input", so that
wildcards will only be escaped in the latter case.

Opaque resource ids

Closes #5

See merge request !3

CreateResourcesRequest now lets the owner be optional, allowing for
creation of owner-less resources like mailing lists.

Both CreateResources and CreateUser now check that user-level
invariants (criteria such as "1 email per user") are respected.

The new ResourceID is really a database ID (in our case, a LDAP DN),
and we have completely decoupled other request attributes like type
and owner from it.

Resource ownership checks are now delegated to the backend.

Also change the backend CreateResource call to CreateResources, taking
multiple resources at once, so we can perform user-level resource
validation, and simplify the CreateUser code path.

The shard is kept in sync with the email resource shard. CreateUser
validation enforces a single email resource per account.

Aliases and primary email addresses share the same namespace, so they
must be both included in the SearchQuery for the 'email' resource.

Mapped to the shadowLastChange attribute in LDAP.

Some errors (validation) have structured contents, not just an error
string, so we return them JSON-encoded along with a HTTP error 400.

Previously we were returning error 500 when we should have returned a 400.