The check for the ipaadmin_keytab was not using "is defined". Because of this
the playbook processing failed if the variable was not defined.

Fixes #87 (ipareplica README seems to have incorrect info)

This is for example the case if ipaadmin_keytab is used instead without
ipaclient_use_otp.

ipaadmin_keytab has been supported only with with ipaclient_use_otp. But
it can also be used without for ipa-join.

Important is that ipaadmin_keytab needs to be placed on the cliend node
and ipaadmin_keytab needs to be a full path. Otherwise the file will not
be found.

Password and keytab do not need to be set explicitely to an empty string
when they are not set. Also there is no need to have string length checks
in the role tasks.

With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.

This is a remain of the Python2 version and has been fixed.

Fixed: #86 (AttributeError: 'str' object has no attribute 'decode')

The code for host_name, the domain_name and also the realm_name has been
adapted to the code in the command line installer. The _hostname_overridden
setting is now only true if the hostname has been changed.

The install checks have been done temporarily in _test and finally also
in _prepare. This is not needed and also not done this way in the command
line installers.

This makes AnsibleModuleLog compatible to the version in ipareplica role.

The addtion is not oly adding the config setting, but also fixing the
deployment without the setting as functions and methods have been changed
for pki_config_override.

There is a new setting for the ipaserver role:

ipaserver_pki_config_override

tasks.restore_context is only used in old releases. The existence of
paths.CACHE_IPA_SESSIONS is used to determine if the call needs to be
done or not.

The section is not used since a long time any more and can therefore be
removed.

Run validate_hostname to check for valid host name if constants.MAXHOSTNAMELEN
is defined. The call has not been used in older FreeIPA versions.

ansible-freeipa is a new Ansible Collection introduced with Ansible 2.8 and
Ansible Galaxy 3.2.

Dashes in names are not allowed in Galaxy and are automatically replaced
by underscores. Therefore the name in Galaxy is ansible_freeipa.

There are now two topology management modules placed in the plugins folder:

  plugins/modules/ipatopologysegment.py
  plugins/modules/ipatopologysuffix.py

Topology segments can be added, removed and reinitialized with the
ipatopologysegment module. Also it is possible to verify topology suffixes
with the ipatopologysuffix module.

A new module_utils for plugins has been added:

  plugins/module_utils/ansible_freeipa_module.py

And documentation for the modules:

  README-topology.md

New sample playbooks are available in playbooks/topology:

  playbooks/topology/add-topologysegment.yml
  playbooks/topology/delete-topologysegment.yml
  playbooks/topology/reinitialize-topologysegment.yml
  playbooks/topology/verify-topologysuffix.yml

The plugins folder can be used with the new Ansible Collections supported
by Ansible 2.8 and Ansible galaxy 3.2.

This will result in a better role documentation on galaxy.

The playbooks install-client.yml, install-cluster.yml, install-replica.yml,
install-server.yml, uninstall-client.yml, uninstall-cluster.yml,
uninstall-replica.yml and uninstall-server.yml have been moved into
the playbooks folder.

This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.

The result from ipareplica_test should be used to enable freeipa-trust
in the firewall.

The hidden replica support introduced some incompatible changes to replica
deployment. The methods find_providing_server and find_providing_serves
have been moved from ipaserver.install.service to ipaserver.masters.
Additionally the host_name argument for find_providing_server is a list
now. This breaks existing ipareplica Ansible modules ipareplica_prepare
and ipareplica_enable_ipa.

The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.

Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)

Replication agreements are not removed with the command line tools.

This calms down ansible-lint in Ansible galaxy.

sstore and fstore have been set twice.

This fixes the type warnings while deploying server and replica.

The generated OTP password is stored into ipaadmin_password. The original
password is now saved and restored later on again.

This fixes the failure with incorrect password while installing the client
part in a replica deployment.

if _on_master is set, deactivate _get_otp as OTP is not needed at all
for the client side install part on a master.

gssapi is only needed for OTP if keytab is used. The common case with
password does not require gssapi.

This change also fixes the new ansible 2.8 failure if gssapi is not
installed on the controller. Ansible 2.8 seems to also transfer and load
action plugins to the node if they are not used.

Ignore "*.retry" and "*.pyc" files