forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.

no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.

New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.

The client settings are:

ipaclient_mkhomedir
ipaclient_no_ntp
ipaclient_ssh_trust_dns
ipaclient_no_ssh
ipaclient_no_sshd
ipaclient_no_dns_sshfp

ipaserver_password has been renamed to ipaadmin_password
ipaserver_dm_password has been renamed to ipadm_password

With using the name password for the password return it will be hidden
automatically and an error message will still be visible.

There is no way to repair a server installation like it is possible with a
client.

These global variables are initialized in the dns module in the
dns.install_check function. The settings are needed to be able to do a
proper dns setup in the ipaserver_setup_dns ansible module.

This methods creates a list of ipautil.CheckedIPAddress from the provided
ip string list.

Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.

New parameters:
  on_master:
    description: IPA client installation on IPA server
    required: false
    default: false
    type: bool
    default: no
  ntp_servers:
    description: List of NTP servers to use
    required: false
    type: list
    default: []
  no_ntp:
    description: Do not sync time and do not detect time servers
    required: false
    default: false
    type: bool
    default: no

The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.

This is needed to be able to use ipaclient role in the server role

The support for external cert files is not complete yet.

ipaclient_hostname needs to be specified in the inventory file for the hosts
where the name needs to get changed.

Example:
192.168.1.1 ipaclient_hostname=ipaclient1.mine.local

The option should not be specified in [ipaclients:vars] as all hosts would
get the same name.

With ansible 2.3.1 it is possible to have one place as an additional utils
module to do all the needed steps to be able to generate the environment for
new and older ipa versions.

The library modules are now a lot smaller.

The minimal ansible version has been increased to 2.3.1.

In the future it might now also be possible to have a special
ansible_ipa_client version for ipa < 4.4 in this utils module.

ipahost module: fix the module for IPA 4.4 server

The module had unused imports preventing execution with an IPA 4.4 server.
The commit removes unneeded imports, and adds documentation details.

Remove unused inventory variables

Simplify ipaclient uninstall

The failed test result in ipahost will not be seen because of the no_log
setting to hide the generated password.

The use of ansible_fqdn could result in a failure if DNS hostname and IP
do not match.

If the client name is not resolvable, the call of client_dns will internally
result in a logger.error call for the failed update of the DNS records.

The call to standard_logging_setup is fixing the behaviour to bremore like
a debug call.

The additional client test is needed to make sure that the client is
installed for python3 usage. The ipalib test has not been sufficient.

Currently ipaclient role is using the module ipaclient only for uninstallation,
and this module contains a lot of unused code.
It is simpler to directly call the command-line
   ipa-client-install --uninstall -U
and remove the ipaclient module.