When a fail_json is called a SystemExit exeception is raised.
Since the FreeIPABaseModule has an internal context manager to deal
with exceptions this ContextManager captures the SystemExit. After
dealing destroying the kinit session the SystemExit must be raised again
to allow the fail_json to work properly.

Fix service tests.

The name "www.ansible.com" was used as a host, but this required
that DNS forwarding is enabled and configured to test serivces
for hosts that have an IP address but are not host objects in IPA. 
This change set a a host name that lies in the testing domain, and has 
an IP address defined, buth is not added as a host object,
so the forwarding DNS configuration is not needed for this test.

Running upstream tests on Azure pipelines

Added comment about problem with no_log in Azure CI. While running on CI
using ansible 2.10a the content of attributes with no_log=True is
replaced by ***** on ansible causing test failures.

* Moved azure CI definitions from azure-pipelines.yml to
  tests/azure/azure-pipelines.yml.
* Updated azure CI definitions to run playbook tests using docker
  containers.

* Adapted tests/test_playbook_runs.py script to allow tests to be
  executed from a docker container.
* Added molecule scenarios to create/destroy test containers and
  respective documentation in tests/README.md.

In some case the tests needs to have the class A, B and C of reverse DNS
set in order to function properly. Those missing classes where
added/updated in dnsrecord, services and host tests.

Since we are using docker for running the tests we can no longer rely on
groups.ipaserver[0] as the managed host hostname.

ipa[server,replica,client]: New OracleLinux vars files

Add support for IPA CLI option `posix`.

This patch adds suport for the IPA CLI option `posix` when modifying
an existing group. Also, enhances verification of `external` and
`posix/non-posix` groups to avoid unneded API failures (e.g. when
no change to the posix/external status is needed).

A new test was added:

    tests/group/test_group_external_nonposix.yml

These are links to the Red Hat Enterprise linux files.

New Role management module

There is a new role management module placed in the plugins folder:

    plugins/modules/iparole.py

The role module allows to ensure presence or absence of roles and
manage role members.

Here is the documentation for the module:

    README-role.md

New example playbooks have been added:

    playbooks/role/role-is-absent.yml
    playbooks/role/role-is-present.yml
    playbooks/role/role-member-group-absent.yml
    playbooks/role/role-member-group-present.yml
    playbooks/role/role-member-host-absent.yml
    playbooks/role/role-member-host-present.yml
    playbooks/role/role-member-hostgroup-absent.yml
    playbooks/role/role-member-hostgroup-present.yml
    playbooks/role/role-member-privilege-absent.yml
    playbooks/role/role-member-privilege-present.yml
    playbooks/role/role-member-service-absent.yml
    playbooks/role/role-member-service-present.yml
    playbooks/role/role-member-user-absent.yml
    playbooks/role/role-member-user-present.yml
    playbooks/role/role-members-absent.yml
    playbooks/role/role-members-present.yml
    playbooks/role/role-rename.yml

New tests for the module:

    tests/role/test_role.yml
    tests/role/test_role_service_member.yml

tests/external-signed-ca-../external-ca.sh: Password too weak in FIPS…

The password that is used in the script to generate the CA and also sign
the CSR is not strong enough in FIPS mode. In normal mode the password was
ok, though.

In FIPS mode the password needs to have at least one upper, lower, digit
and a special char.

Fix variable name error

Terminology improvements: use allow list.

ipareplica: Fix missing parameters for several modules

The parameters master_host_name, config_setup_ca, dirman_password have not
been set for some modules. Also there was no ldap2 connection within
ipareplica_setup_kra. All this resulted in improper configuration where
for example KRA deployment failed in the end.

A conversion warning in ipareplica_setup_adtrust has also been fixed for
the setup_ca parameter.

Fixes #314 (IPA replica installation failure - DS enabled SSL - second part)

Adhere to recent changes on FreeIPA CLI help messages.
Also, see: https://tools.ietf.org/id/draft-knodel-terminology-01.html

ipa[server,replica]: Fix pkcs12 info regressions introduced with CA-less

With the CA-less patches the types for the pkcs12 infos have been changed
to lists in the modules. This is resulting in a bad conversion from None
to [''] for the parameters. Because of this a normal replica deployment is
failing as [''] is not a valid value.

The install.yml files for ipareplica and also ipaserver have been changed
in the way that the pkcs12 values are checked if they are None. The
parameter will simply be omitted in this case and the parameter in the
module will become None by default.

action_plugins/ipaclient_get_otp: Discovered python needed in task_vars

Ansible is now also supporting discovered_python_interpreter for
action_plugins. task_vars needs to be non Null and contain a setting for
discovered_python_interpreter. The ipaclient_get_otp action_plugin
therefore needed to be adapted.

Fixes ipaservice disable tests.

Due to use of some shell commands that required a Kerberos ticket,
the ipaservice test test_service_disable would no work if a ticket
was not granted before it ran. This patch adresses this issue by
acquiring a ticket for the `admin` user before it is needed, and
destroying the tickets by the end of the test execution.

ipa[user,host]: Fail on duplucate names in the users and hosts lists

ipa[host]group: Fix membermanager unknow user issue

If a unknown membermanager user presence will be ensured, the unknown user
error was ignored. This has been fixed in ipagroup. The code for the error
handling in ipagroup and ipahostgroup has been adapted because of this.

New tests for tests/[host]group/test_[host]group_membermnager.yml have been
added.

Add suppport for changing password of symmetric vaults.

Allows changing passwords of symmetric waults, using a new variable
`new_password` (or the file-base version, `new_password_file`). The
old password must be passed using the `password` or `password_file`
variables that also received new aliases `old_password` and
`old_password_file`, respectively.

Tests were modyfied to reflect the changes.

It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.

New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml

Fixes service disable when service has no certificates attached.