If use_otp is not enabled, then the principal will be set to "admin" after
the discovery has been done. If use_otp is enabled, then the princial will
be set to "admin" after the join has been done - as admin will not match
with the otp.

The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.

ipaclient_password will be overwritten by the otp password.

Also: Add ipaclient_kinit_attempts default value to
roles/ipaclient/defaults/main.yml

The one_of check was using a tuple instead of a list, the check for principal
or keytab has been removed, a new mutually exclusive check for password
xor keytab has been added.

New variables have been added (undefined by default):
  krb5_dns_canonicalize_hostname
  krb5_pkinit_anchors
  krb5_pkinit_pool

These are set according to the ipa version requirements. See
roles/ipaclient/tasks/install.yml

For ipa versions prior to 4.5 it is needed to use ipa-client-install script
as a source for functions. But the script contains a global finally clause
in which the generated ccache file gets removed. Threfore the script is
temporarily copied to ipa_client_install.py and the global finally clause
gets removed from the copy. All this is done in a temporary directory, which
gets removed right after the import has been done.

For ipa versions prior to 4.5 it is needed to use ipa-client-install script
as a source for functions. But the script contains a global finally clause
in which the generated ccache file gets removed. Threfore the script is
temporarily copied to ipa_client_install.py and the global finally clause
gets removed from the copy. All this is done in a temporary directory, which
gets removed right after the import has been done.

A Object called options is generated as ipa-client-install and also
ipaclient/install/client.py functions are using this object.

inspect.argspec is used on configure_krb5_conf to find out if the function
requires configure_sssd as an optional argument or in the options object.

freeipa 4.4 is the first version that supports all needed functions.
Therefore a check has been added to make sure that ipadiscovery fails for
versions before 4.4.

The python bindings of ipa versions before 4.6 are having a different
structure.

ipa_python_version is the version gathered from ipapython.version.NUM_VERSION.
For ipa versions before 3.2.1, the version is generated from
ipapython.version.VERSION because NUM_VERSION changed the format two times
before 3.2.1.

The discovery was not working if a server has been specified. The domain has
been needed additionally. The domain is now gathered from the server name if
it is missing in this case.

- Backup ipa default conf
- Backup krb5.conf

This is needed to be able to use defined and undefined checks.

The sssd role has been deactivated in favor of the new sssd module, because the module is able to adapt an existing configuration.

The advantage of the use of SSSDConfig is that an existing configuration could be changed and not simply overwritten.