Add support to automate external auth config for ldap

[jvlcek]

Currently the process of configuring an appliance for external authentication with
LDAP is a manual one.

This document describes the process: http://manageiq.org/docs/reference/latest/auth/ldap

This pull request will automate the manual steps outlined in that document for
a fresh ManageIQ appliance that has never been configured for authentication.

This pull request leverages the existing miqldap_to_sssd code that can be used to
convert a ManageIQ appliance that had been configured to use the MiqLdap client
for authentication and authorization, i.e. Mode: LDAP(S). The usage for the
existing MiqLdap To SSSD conversion tool is documented here:
http://manageiq.org/blog/2017/09/miqldap-to-sssd/

Similar documentation will be coming to describe the new fresh configuration functionality
introduced in the pull request.

Two major changes are being made to the existing miqldap_to_sssd code base to
support the new functionality introduced by this PR.

1. The current miqldap_to_sssd code base relies on much of the needed LDAP configuration
   already being available in the ManageIQ database Settings.authentication table.
   This needed data will not be available there for a ManageIQ appliance that has not
   yet been configured for authentication. So this data must be passed on the command line.
   To enable this new command line functionality the current Cli#parse method is being
   moved into a new subclass CliConvert, with a second new subclass CliConfig being
   added.

2. With this new functionality being introduced the name miqldap_to_sssd is no longer
   accurate, as that is only half of what this code base is being used for. To address
   this miqldap_to_sssd is being renamed to miq_config_sssd_ldap

One other pull request in the manageiq-appliance repo will accompany this pull request. It will update the associated executables
used to invoke this code base from the command line.

PR number will be published once available

Links [Optional]

• http://manageiq.org/blog/2017/09/miqldap-to-sssd/
• https://bugzilla.redhat.com/show_bug.cgi?id=1745775
• Related PR Add support to automate external auth config for ldap manageiq-appliance#255

Steps for Testing/QA

Two separate tests should be performed.

1. One to confirm the existing miqldap_to_sssd functionality still functions correctly.
2. The second to exercise the new functionality, being made available from the command miq_config_sssd

Test 1 Confirm existing functionality using the miqldap_to_sssd command

1. Configure a fresh ManageIQ appliance
2. Follow the instructions in the MiqLdap To SSSD conversion tool
   documentation to:
3. Configure the ManageIQ appliance to use MiqLdap, i.e. Mode LDAP
4. Run the miqldap_to_sssd command.

Test 2 Exercise the new functionality using the new miq_config_sssd command

1. Configure a fresh ManageIQ appliance
2. Log into the appliance shell and execute
3. Run the configuration command.

For example:

miq_config_sssd \
        --domain="example.com" \
        --bind-dn="cn=Manager,dc=example,dc=com" \
        --bind-pwd="<my bind password>" \
        --mode="ldap" \
        --ldaphost="my-openldap.example.redhat.com" \
        --ldapport="389" \
        --user-type="dn-cn" \
        --user-suffix="ou=people,ou=prod,dc=example,dc=com"

[jvlcek]

@miq-bot add_label enhancement
@miq-bot add_label authentication
@miq-bot assign @abellotti

[jvlcek]

I've addressed most all of the rubocop warnings
The remaining warnings are not new. They've existed since this code was introduced with this PR:
#15640

They are also not easily avoidable.

[jvlcek]

@abellotti During our code walkthrough, you pointed out that the options should not be merged with Settings.authentication when doing a fresh configuration.

To address this I added the new element, action to the options hash. MiqLdapConfiguration#initialize has been updated to not merge the options withSettings.authentication when action is set to config.

I also realized that I needed to update cli_config.rb to confirm that bind_dn and bind_pwd are required when when Get user groups from ldap, AKA ldap_role is true or mode is ldap.

Thank you again for reviewing this!

[miq-bot]

Some comments on commits jvlcek/manageiq@6e05a3d~...4efc07e

spec/tools/miq_config_sssd_ldap/configure_appliance_settings_spec.rb

• ⚠️ - 25 - Detected allow_any_instance_of. This RSpec method is highly discouraged, please only use when absolutely necessary.
• ⚠️ - 26 - Detected allow_any_instance_of. This RSpec method is highly discouraged, please only use when absolutely necessary.
• ⚠️ - 41 - Detected allow_any_instance_of. This RSpec method is highly discouraged, please only use when absolutely necessary.
• ⚠️ - 42 - Detected allow_any_instance_of. This RSpec method is highly discouraged, please only use when absolutely necessary.

tools/miq_config_sssd_ldap/auth_template_files.rb

• 💣 💥 🔥 🚒 - 8 - Detected cfme

[miq-bot]

Checked commits jvlcek/manageiq@6e05a3d~...4efc07e with ruby 2.4.6, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0
29 files checked, 2 offenses detected

tools/miq_config_sssd_ldap.rb

• ⚠️ - Line 1, Col 1 - Lint/ScriptPermission - Script file miq_config_sssd_ldap.rb doesn't have execute permission.

tools/miq_config_sssd_ldap/cli_config.rb

• ❗ - Line 128, Col 11 - Style/RedundantBegin - Redundant begin block detected.

[jvlcek]

@gtanzillo or @abellotti All changes discussed have been made. Please merge.

[abellotti]

Thanks @jvlcek for updating this. LGTM!! 👍