is there a reason for not using rfc2253 string representation of the DN while mapping client's PKI to Kerberos principal?