The use of custodiainstance.get_custodia_instance requires that
options.promote exists. As this is a server installation, promote
is set to False.

As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.

Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.

Fixes issue #38

ipaserver_setup_adtrust was using api_Backend_ldap2_connect instead of
api_Backend_ldap2 with attribute connect set to True.

Fixes issue #39

This is more like the normal installer behavior and should also help with
issue #50: https://github.com/freeipa/ansible-freeipa/issues/50

subject_validator and also VALID_SUBJECT_ATTRS are provided of the ca
binding.

Fixes issue #43

Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.

This is related to freeipa upstream commit:

Delay enabling services until end of installer:
  https://github.com/freeipa/freeipa/commit/7284097

Custodia is configured before CA and used in the setup of CA. Also add
support for name FIRST_MASTER as a replacement for MASTER_PEER.

This is related to the freeipa upstream commits:

Use single Custodia instance in installers:
  https://github.com/freeipa/freeipa/commit/994f71a
Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER:
  https://github.com/freeipa/freeipa/commit/842cb5f

This is a partly pick of the changes done by pyguy for pull request #28.
The unrelated changed on inventory files have been removed and the change
to the README has been adapted to use the "Supported Distributions" section.

The original commits by pyguy in https://github.com/pyguy/ansible-freeipa
are:

commit 1ed1fa845eafd69432b1fd1fc8e5329e4991e84a
Author: pyguy <hr.josheghani@gmail.com>
Date:   Mon Jun 25 17:17:31 2018 +0430

    Ubuntu Support added

commit 9a4a7c84e4af20af27e814aba4fc2c6b8b35ec0f
Author: pyguy <hr.josheghani@gmail.com>
Date:   Sun Jun 24 10:58:07 2018 +0430

    Ubuntu support added

Tee message for a domain and realm name mismatch should be a warning and
not a fail in the ipaserver test. It is also a warning in the normal
installer.

The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.

Lowered version check to be compatible with CentOS 7.5
Added missing attributes to setup_kra to be compatible with latest python2-ipaserver librarty on CentOS 7.5 (python2-ipaserver-4.5.4-10.el7.centos.3.noarch)

Signed-off-by: dihmandrake <jasper.bernhardt@live.de>

A new Fedora-27 ditribution specific file has been added. Additionally
ipaserver_packages_adtrust has been updated in all files to contain
[free]ipa-server-trust-ad.

The python3 bindings should be required and not the python2 bindings as a
default.

Affected files:
- ipaserver/library/ipaserver_enable_ipa.py
- ipaserver/library/ipaserver_master_password.py

With IPA 4.7 bigger changes have been introduced

Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- New IPAChangeConf (not used in ipaserver modules)
- New check_ldap_conf form ipaclient.install.client
- custodia instance needed for ca and kra
- no_ntp defaults to yes for client installation part
- A new option ntp_pool has been introduced (set to None).

tasks.create_tmpfiles_dirs only needs IPAAPI_USER as an argument for
version 4.5.4. For 4.5 there is no support for arguments.

IPAAPI_USER is therefore only needed for 4.5.4 in
module_utils/ansible_ipa_server.py

When forwarders list or the no_forwarders flag has been set, the
configuraiton does not reflect the setting. With no_forwarders
the preparation step of the DNS server could fail in ipaserver_prepare.

This is addressing the issue of pull request #25.

- Do not register a change in the playbook run when registering the
  variable checking for whether or not Python 3 imports work

Signed-off-by: Kellin <kellin@retromud.org>

b29db07c3b3d8937f53684fdbba985fec525d69d by Christian Heimes

    Replace custom file_exists() and dir_exists() functions with proper
    functions from Python's stdlib.

    The change also gets rid of pylint's invalid bad-python3-import error,
    https://github.com/PyCQA/pylint/issues/1565

tasks.create_tmpfiles_dirs does not support options for FreeIPA 4.5

options.kasp_db_file is used in dns.install_check if options.dnssec_master
is enabled. kasp_db_file defauts to None and is only a supported option in
the post deployment ipa-dns-install script. Therefore it is suffient to
set it to None.

A new section has been added to configure firewalld automatically as the
last step of the server installation.

A new switch has been added to be able to turn firewalld configuration off:
ipaserver_no_firewalld. It defaults to no.

The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.

This has been fixed and the client and also the server are fully configured
in the server installation.

force and allow_zone_overlap options were missing from a couple places.

Signed-off-by: Scott Poore <spoore@redhat.com>

This is needed to fix the installation without configuring the dns server in
the IPA server.

forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.

no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.

New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.

The client settings are:

ipaclient_mkhomedir
ipaclient_no_ntp
ipaclient_ssh_trust_dns
ipaclient_no_ssh
ipaclient_no_sshd
ipaclient_no_dns_sshfp

ipaserver_password has been renamed to ipaadmin_password
ipaserver_dm_password has been renamed to ipadm_password

With using the name password for the password return it will be hidden
automatically and an error message will still be visible.