The ipa_client_installed option was named as client_configured in the
DOCUMENTATION section.

The default value for selinux_works was missing in the DOCUMENTATION
section.

DOCUMENTATOIN section: Fix required for name, add missing
delete_continue to services option.

The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.

The element type for sshpubkey was using 'element' instead of 'elements'
also the type for nomembers was wrong in the DOCUMENTATION section.

Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.

In the freeipa inventoty plugin, fix version to 1.13.0 and drop unknown
tag plugin_type.

The default setting for delete_continue was True instead of true for
delete_continue in the DOCUMENTATION section.

tests/sanity/sanity.sh: Install setuptools with pip

user: Fix idp_user_id aliases

plugins/inventory/freeipa: Try imports for requests and urllib3

permission: Fix idempotency issues for DN parameters

README-service.md: Add multi service handling

Convert input certificates

ansible_freeipa_module: Fix errors in batch mode

Fixes for FreeIPA 4.12

setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.

The alias for idp_user_id was ipaidpconfiglink by mistake. It was
already correct (ipaidpsub) in the DOCUMENTATION section and also
in the README.

The EXAMPLES section only contained a very simple example for multi
service handling. The examples from the README have been added.

The service READNE so far lacks the documentation of multi service
handling within a single task.

The alias for the continue parameter was also added.

Fixes: #1113

Bump minimum supported Ansible version

The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.

urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch updates the minimum supported Ansible version and the list
of available modules.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.

The parameters

- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)

have not been idempotent as the result returned from permission_show was
a DN and not a string.

The find_permission function has been exetended to convert the values
for these parameters to strings.

Fixes: #1257

The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.

A left over debug message also have been removed from the error
processing.

Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

New function:
- convert_input_certificates(module, certs, state)

FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d

    After an HSM replica install ensure all certs are visible

    If a certificate on a token does not have NSS trust set then
    it won't be visible in the softoken. This can be disconcerting
    for those used to seeing all the certificates.

    Loop through the possibilities and set no trust (or Peer) for
    all the certificates on the token.

    Also ensure that the CA certificate has the correct nickname.

    Related: https://pagure.io/freeipa/issue/9273

replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.

FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d

    Refactor CA file handling in replica installer

    Clean up and remove obsolete code from ipa-replica-install. For several
    versions replica installer first ensures that a host is an IPA client,
    then promotes the client to a replica. The client installer code sets up
    CA stores like IPA_CA_CRT already.