Use displayName in preference to cn/sn
Currently we use the cn and sn fields as canonical from Lookup and fall back to display name if these are hidden. This is mostly to be compatible with the existing Google Authenticator. Now we're in the brave new world, move to using displayName as the canonical source.
This will probably require a manual run of the sync tool as this is likely to touch a large number of users.