ipagroup: Rework to use same mechanisms as ipahostgroup module

The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.

tests/external-signed-ca tests: Fix external-ca.sh to use proper serials

The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.

The cat to generate the chain.crt has been replaces with openssl x509 calls.

Some comments have also been added.

The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.

New hostgroup management module

ipaservcer:vars has been changed to ipaserver:vars.

The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

With Ansible there is no add or remove user, there is only ensure presence
or absence of users. The descriptions have been adapted to make sure that
the description is correct now.

There is a new user management module placed in the plugins folder:

  plugins/modules/ipauser.py

The host module allows to add, remove and disable hosts.

The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.

Here is the documentation for the module:

  README-host.md

New example playbooks have been added:

  playbooks/host/add-host.yml
  playbooks/host/delete-host.yml
  playbooks/host/disable-host.yml

configure_nsswitch_database has been removed with the freeipa commit

https://github.com/freeipa/freeipa/commit/41ef8fba31ddbb32e2e5b7cccdc9b582a0809111

The 4.4 compatibility hack leads to a ALREADY installed error in
ipaclient_test because of the removal. This affects ipaclient and
ipareplica roles and also the ipaclient deployment part in ipaserver.

configure_nsswitch_database is not used any more in ipaclient role modules
and therefore simply can be removed from ansible_ipa_client.

This option defines the verbose level for the internal ansible-playbook
run.

This is option is used in test scripts.

The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.

For KRB5CCNAME it is needed to create a ccache file

  kinit admin@TEST.LOCAL -c /root/admin.ccache

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5CCNAME: /root/admin.ccache

For KRB5_CLIENT_KTNAME a admin keytab has to be generated

  ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
  /root/admin.keytab

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5_CLIENT_KTNAME: /root/admin.keytab

It will be needed to set ipaadmin_principal if the admin principal is not
admin.

The management modules can be used without a password in this case.

For debug and error reporting it is needed to have the ansible module also
in the valid_creds function.

This option is the same as the --become-method option with ansible-playbook.
If this option is set, become_method will be set in the generated playbook.

Excessive args are printed now. The simple print of the message too many
arguments was not helping.

The p.wait() call has been missing in the normal case, therefore no proper
returncode has been returned.

If the --playbook-dir option is used, the inventory and playbook files will
be generated in this directory. The files will not be removed after the
playbook processing ended.

If the directory does not exist an error message will be printed and the
utility will not continue.

These settings are file descriptors if external certificates are used and
are not used later in the roles. Therefore these settings have been removed.

Fixes: #110 (Ansible error with external certificates)

The used code for continuous output from the ansible-playbook call was
only working for Python2. The output has only been printed when the command
finised. This code has been replaced with code that is working with Python2
and Python3.

The wrong name has been used for the option of _install_packages.

/usr/bin/python should be used by default. Fixed typo in _install_packages
setting in the inventory file.

These are utils scripts to do a server,replica or client deployment and
undeployment using the ansible roles. A client inventory and playbook is
generated by the script which is then used with ansible-playbook.

The command line options or the normal command line installers
ipa-server-install, ipa-replica-install and ipa-client-install are all
supported also by these scripts.

Additonally to the commadn line of the normal installers it is needed to
add the fqdn of the host to be installed.

It is needed that the ansible-freeipa roles are available and also usable
by ansible.

ipatopologysegment: Fail if given entry can not be found for reinitia…

Currently it is ignored if the entry for reinitialized can not be found if
the name or left and right are not correct. Now there is a failure in this
case.

Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..)
Signed-off-by: Thomas Woerner <twoerner@redhat.com>

ipatopologysegment: Store suffix for commands in command list

With adding the domain and ca suffixes with `suffix: domain+ca` only ca
has been added as the suffix was only used from the last command. The
suffix is now stored together with the command and the argument. This
will fix this error.

Fixes: #106 (Last suffix adding twice in the list of topology segments)

In the README these settings have been single values instead of string
lists:
  ipareplica_http_cert_file
  ipareplica_pkinit_cert_file
instead of
  ipareplica_http_cert_files
  ipareplica_pkinit_cert_files

Add debian support for ipaclient

The prefix has been fixed in the wrong files.

This parameter name is not used and therefore not needed anymore.