When OTP is used for installation of a client or the client part of
a replica and also there is no DNS record for the client, then
ipaclient_get_otp fails in the host_add call.

With the force mode the host_add call will ignore the missing DNS
record and will properly add the host. The host information and also
the DNS record will be updated while deploying the client according
to the given settings.

Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)

sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.

This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.

The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.

ipaclient_test now returns ntp_servers and ntp_pool, which are then used
for ipaclient_setup_ntp.

If kinit_password call failed because of wrong password or even because
kinit was not found, there was a very unspecific error message. Now these
errors will be properly reported.

Fixes: RHBZ#1727277

Add Information about needed /usr/bin/kinit on the controller when OTP is used

This is not needed and will calm down ansible-lint, which is not able
to handle the extra tasks folder prefix.

These vars files are providing the module names used with the Ansible
package module to install the needed RPM packages.

This has not been done so far in the ansible_ipa_client, but only in the
modules where it was really needed. But as these places are getting more
with 4.7.90, this setting makes it into the module_utils.

Currently the error message of ipaclient_get_otp is not visble if it failed
due to the use of no_log. The no_log option is needed and useful if the
one-time password has successfully been generated, but is bad if there was
an error while generating the password, for example if a clock skew has been
detected.

There is now a new task to print the error message if ipaclient_get_otp. The
task for ipaclient_get_otp has been marked with "ignore_errors: yes" and
the new task "Install - Report error for OTP generation" will always fail
and only be used if result_ipaclient_get_otp is failed.

The check for the ipaadmin_keytab was not using "is defined". Because of this
the playbook processing failed if the variable was not defined.

This is for example the case if ipaadmin_keytab is used instead without
ipaclient_use_otp.

ipaadmin_keytab has been supported only with with ipaclient_use_otp. But
it can also be used without for ipa-join.

Important is that ipaadmin_keytab needs to be placed on the cliend node
and ipaadmin_keytab needs to be a full path. Otherwise the file will not
be found.

Password and keytab do not need to be set explicitely to an empty string
when they are not set. Also there is no need to have string length checks
in the role tasks.

With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.

Run validate_hostname to check for valid host name if constants.MAXHOSTNAMELEN
is defined. The call has not been used in older FreeIPA versions.

ansible-freeipa is a new Ansible Collection introduced with Ansible 2.8 and
Ansible Galaxy 3.2.

This will result in a better role documentation on galaxy.

The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.

See [1] for a reference to the upstream documentation.

The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/

[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions

This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.

The generated OTP password is stored into ipaadmin_password. The original
password is now saved and restored later on again.

This fixes the failure with incorrect password while installing the client
part in a replica deployment.

if _on_master is set, deactivate _get_otp as OTP is not needed at all
for the client side install part on a master.

gssapi is only needed for OTP if keytab is used. The common case with
password does not require gssapi.

This change also fixes the new ansible 2.8 failure if gssapi is not
installed on the controller. Ansible 2.8 seems to also transfer and load
action plugins to the node if they are not used.

Correcting small typo for lenth to length in a check

Dependencies and platforms have been updated. Commented out lines has been
removed.

There have been several settings in ipaclient_setup_nss that have been
hard coded instead of using the settings from the role. This has been
fixed and the code in ipaclient_setup_nss has been updated to the latest
version of FreeIPA with compatibility changes for older FreeIPA versions.
Additionally the api is now properly configured so that the DNS SSHFP
records are now properly created if no_dns_sshfp is not enabled.

The old name ntpconf has been still used in one place of the NTP
configuration for FreeIPA versions that do not provide the sync_time
function.

Fixes: #76 (Ansible Configure NTP Task)

The use of version numbers for backward compatibility checks is not
optimal because the version number is not changed if changes are back
ported. The version dependant check has been replaced with an inspect
argspec check.

options.no_krb5_offline_passwords was set using the not existing role
variable krb5_offline_passwords instead of no_krb5_offline_passwords.

This reverts commit bbaaf1f7.

Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.

meta end_play has been replaced with blocks and conditions for these
blocks.

Fixes: #70 (Avoid using meta end_play)