my simplesamlphp connects to ldap to check credentials; and ldap holds attributes for each user (multiple "l"-entries) that define, on which SP they should be able
