Add missing validation in ipasudocmd

This fixes the issue https://github.com/freeipa/ansible-freeipa/issues/185, where the python script was launching an exception
There was a lack of verification that the input string (for the description) was a text string

ipahost: Enhanced failure msg for member params used without member action.

ipahost: Fix choices of auth_ind parameter, allow to reset parameter

ipauser: Allow reset of userauthtype, do not depend on first,last for…

 New vault management module.

The failure message if member parameters like certificate, managedby_host,
principal, allow_create_keytab_* and allow_retrieve_keytab_* are used
without member action for state absent has been enhanced to propose the
member action.

It was not possible to reset the userauthtype. The empty string has been
added to userauthtype for this.

Also ipauser will only depend on given first and last name if the user
does not exist yet. For the update operation these parameters are not
needed anymore.

The choices for the auth_ind parameter have been wrong. The choices are now
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
to be able to rest auth_ind for the host entry.

There is a new vault management module placed in the plugins folder:

  plugins/modules/ipavault.py

The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.

Here is the documentation for the module:

    README-vault.md

New example playbooks have been added:

    playbooks/vault/data-archive-in-asymmetric-vault.yml
    playbooks/vault/data-archive-in-symmetric-vault.yml
    playbooks/vault/ensure-asymetric-vault-is-absent.yml
    playbooks/vault/ensure-asymetric-vault-is-present.yml
    playbooks/vault/ensure-service-vault-is-absent.yml
    playbooks/vault/ensure-service-vault-is-present.yml
    playbooks/vault/ensure-shared-vault-is-absent.yml
    playbooks/vault/ensure-shared-vault-is-present.yml
    playbooks/vault/ensure-standard-vault-is-absent.yml
    playbooks/vault/ensure-standard-vault-is-present.yml
    playbooks/vault/ensure-symetric-vault-is-absent.yml
    playbooks/vault/ensure-symetric-vault-is-present.yml
    playbooks/vault/ensure-vault-is-present-with-members.yml
    playbooks/vault/ensure-vault-member-group-is-absent.yml
    playbooks/vault/ensure-vault-member-group-is-present.yml
    playbooks/vault/ensure-vault-member-user-is-absent.yml
    playbooks/vault/ensure-vault-member-user-is-present.yml
    playbooks/vault/ensure-vault-owner-is-absent.yml
    playbooks/vault/ensure-vault-owner-is-present.yml

New tests added for the module:

    tests/vault/test_vault.yml

ansible-galaxy needs to be used to build the Ansible collection. mazer should
not be used any more.

dependencoies may not be an empty dict like in the past, but it may also not
be missing. It simply needs to be empty.

Fixes #146 (ansible-freeipa collection not installable by 2.9 ansible-galaxy collection install)

ipauser: Extend email addresses with default email domain if no domain is set

ipaserver_test: Do not use zone_overlap_check for domain name validation

If there is no domain set for email addresses, extend the email addresses
with the default email domain that is gathered from the config_show output.

This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..)

Allow execution of API commands that do not require parameters.

Drop options from the allow_create_keytab_ and allow_retrieve_keytab_
parameter documentation. There are no options.

There are some commands in the IPA API that do not require
arguments, and current implementation does not allow these
commands to be execute.

This patch adds api_command_no_name to allow the execution
of such commands, which is required, for example, to create
a vaultcontainer management module.

The use of zone_overlay_check for the domain name validation is not good
for a repeated execution of the server deployment where setup_dns is
enabled. The zone overlay check will fail with "DNS zone X already exists
in DNS". zone_overlay_check is later on used in dns.install_check so it is
not needed to do it here also.

Fixes issues #164 (domain option validator should not call zone overlap..)

Fix install packages in ipaserver and ipareplica roles

ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.

Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.

Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).

If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.

Fixes: https://github.com/freeipa/ansible-freeipa/issues/116

ipaserver role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.

Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.

Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).

If and administrator considers not to use firewalld, a default for
ipaserver_setup_firewalld variable has to be set to 'no'.

Fixes: https://github.com/freeipa/ansible-freeipa/issues/116

Exchange ipaclient_allow_repair and ipaclient_otp in Special Variables

The docuemntation of ipaclient_otp was not part of the pull request
102 (commit d1af0ff4). The role README has been updated.

ipahost: Extension to be able handle several hosts and all settings

ipa[server,replica,client]: Add support for CentOS-8

ansible_freeipa_module: Better support for KRB5CCNAME environment variable

The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.

ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:

    gen_add_del_lists(user_list, res_list)
    encode_certificate(cert)

gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.

encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.

The missing settings in ipahost have been:

    certificate
    managedby_host
    principal
    create_keytab_[user,group,host,hostgroup]
    retrieve_keytab_[user,group,host,hostgroup]
    sshpubkey
    userclass
    auth_ind
    requires_pre_auth
    ok_as_delegate
    ok_to_auth_as_delegate

The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.

New example playbooks have been added:

    playbooks/host/add-host.yml
    playbooks/host/host-member-allow_create_keytab-absent.yml
    playbooks/host/host-member-allow_create_keytab-present.yml
    playbooks/host/host-member-allow_retrieve_keytab-absent.yml
    playbooks/host/host-member-allow_retrieve_keytab-present.yml
    playbooks/host/host-member-certificate-absent.yml
    playbooks/host/host-member-certificate-present.yml
    playbooks/host/host-member-managedby_host-absent.yml
    playbooks/host/host-member-managedby_host-present.yml
    playbooks/host/host-member-principal-absent.yml
    playbooks/host/host-member-principal-present.yml
    playbooks/host/host-present-with-allow_create_keytab.yml
    playbooks/host/host-present-with-allow_retrieve_keytab.yml
    playbooks/host/host-present-with-certificate.yml
    playbooks/host/host-present-with-managedby_host.yml
    playbooks/host/host-present-with-principal.yml
    playbooks/host/host-present-with-randompassword.yml
    playbooks/host/host-present.yml
    playbooks/host/hosts-member-certificate-absent.yml
    playbooks/host/hosts-member-certificate-present.yml
    playbooks/host/hosts-member-managedby_host-absent.yml
    playbooks/host/hosts-member-managedby_host-present.yml
    playbooks/host/hosts-member-principal-absent.yml
    playbooks/host/hosts-member-principal-present.yml
    playbooks/host/hosts-present-with-certificate.yml
    playbooks/host/hosts-present-with-managedby_host.yml
    playbooks/host/hosts-present-with-randompasswords.yml

New tests have been added for the module:

    tests/host/certificate/cert1.der
    tests/host/certificate/cert1.pem
    tests/host/certificate/cert2.der
    tests/host/certificate/cert2.pem
    tests/host/certificate/cert3.der
    tests/host/certificate/cert3.pem
    tests/host/certificate/private1.key
    tests/host/certificate/private2.key
    tests/host/certificate/private3.key
    tests/host/certificate/test_host_certificate.yml
    tests/host/certificate/test_hosts_certificate.yml
    tests/host/test_host.yml
    tests/host/test_host_allow_create_keytab.yml
    tests/host/test_host_allow_retrieve_keytab.yml
    tests/host/test_host_managedby_host.yml
    tests/host/test_host_principal.yml
    tests/host/test_host_random.yml
    tests/host/test_hosts.yml
    tests/host/test_hosts_managedby_host.yml
    tests/host/test_hosts_principal.yml

The files for RHEL-8 (RedHat-8.yml) have simply been linked to CentOS-8.yml
for the ipaserver, ipareplica and ipaclient roles.

Fixes issue #121 (roles/*/vars needs CentOS-8.yml files)

The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
is used. It will fail. gssapi.Credentials with usage and store is the proper
way to do this.

Added context configuration to api_connect.

This patch allows the connection to the ipa api to use a context different
than 'server', if needed.

ipaclient: Fix misspelled sssd options

ipauser, ipahost: Return random password

The random password is only returned if random is yes and the host did
not exist or update_password is yes.

If only one host is handled by the module, the returned dict is containing
this dict:

  { "randompassword": "<the host random password>" }

If several hosts are handled by the module (future feature):

  { "<host>": { "randompassword": "<the host random password>" } }

Fixes issue #134 (ipahost does not return the random password)

The random password is only returned if random is yes and user did not exist
or update_password is yes.

If only one user is handled by the module, the returned dict is containing
this dict:

  { "randompassword": "<the user random password>" }

If several users are handled by the module:

  { "<user>": { "randompassword": "<the user random password>" } }

This is related to issue #134 (ipahost does not return the random password)

The sssd options in the ipaclient role missed a 's' in the role. The readme
of the role used the proper names with 3 's'. The names in the role have
been fixed and if the old setting are used, they will be used in the first
place.

Also utils/ansible-ipa-client-install has been adaped to use the proper
option names now.

This fixes issue #145 (The ipaclient role misspells sssd)

Add missing information about action variable.