Rebase ipa to 4.7.1

Issue

• The following change sets were already fixed upstream while working on RHEL 8 stabilization for FreeIPA 4.7 and identified to bring back to
  RHEL 8.0.

• Note that these are not singular patches but rather patchsets. Some of them are rather large, especially in the 'required fixes' sublist.

• With this list being as it is, we are strongly considering to propose a rebase to RHEL 8.0. Both 'required fixes' and 'good to have' are direct result of responding to issues found in RHEL 8. List of changes in 'Optional' is comprised mostly of upstream tests. The only element that we did not write ourselves are translation fixes contributed by the external upstream contributors.

• The following fixes are requested to be included

Fix KRA replica installation from CA master #2160
[ipaclient-install: chmod needs octal permissions #2183]
Do not set ca_host when --setup-ca is used. #2185
Check if user permssions and umask 0022 is set after ipa-restore #2194
Restore SELinux context of session_dir /etc/httpd/alias and template_dir /var/log/dirsrv/slapd-X #2198
Re-open the ldif file to prevent error message #2222
[do not use RC4 in FIPS mode #2228]
ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions #2236
Fix js error on reset view #2269
Clear next field when returnining list elements in queue.c #2283
Fix SELinux violation in fedora-domainname.service detection #2301
Use $(hostname -f) to determine hostname in mod_ssl password script #2303
Delete empty keytab during client installation #2308
ipa-server-install: do not perform forwarder validation with --no-dnssec-validation #2310
ipa-replica-install: fix pkinit setup #2326
Fix certificate type error when exporting to file #2327
ipa-replica-install: properly use the file store #2332
[Advise plugin for enabling sudo for members of the admins group #2349]
ipa-advise: configure pam_cert_auth=True for smart card on client #2359
authselect: harden uninstallation of ipa client #2363
ipa vault-archive overwrites an existing value without warning #2065
[RFE] DNS package check should be called earlier in installation routine #2090
Support Samba 4.9 #2373
Workaround for pyasn1 0.4 #2381

Fix CA topology warning #2114 (contains unicode fix)
Fix link to browser configuration guide at Login page #2123
(Turn multihost config problems into errors #2129)
In IPA 4.4 when updating userpassword with ldapmodify does not update… #2181
Honor no-host-dns when creating client host in replica install #2189
Convert members into types in sudorule-*-option #2190
Tests: add integration test for 7601 #2200
uninstall -v: remove Tracebacks #2265
ipa commands: print 'IPA is not configured' when ipa is not setup #2268
Fix render validation items on keypress event at login form #2270
Retrieve certificate subject base directly instead of ipa-join #2299
ipa-otptoken-import: support import from CSV file #2241
Sprinkle raw strings across the code base #2380

Disable Pylint 2.0 violations #2150
ipa_tests: test ssh keys login #2195
Rename pytest_plugins to ipatests.pytest_ipa #2199
Test if WSGI worker process count is set to 4 #2246
test: client uninstall fails when installed using non-existing hostname #2247
DS replication settings: fix regression with <3.3 master #2263
Fix the uninstall test, execute in the nightly runs #2266
Integration test for sssd_ssh leaks #2287
bump PRCI template version to 0.1.8 #2314
Fix webui tests #2324
Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug #2325
https://github.com/freeipa/freeipa/pull/2333
Tests: remove dl0 tests from nightly definition #2370
ipatests: mark known failures as xfail #2375



Fix reset_password page translations #2109
Fix sync_otp page translation #2110
Fix translation of "unauthorized" and "ssbrowser" WebUI pages #2151
Fix translation of migration pages #2157