We will now eliminate any unknown options and providers to
guarantee that the domain is safe for use.

Fixes: #531

Also update manpage for min_id/max_id to be more clear about how
it relates to primary GID.

* add forgotten ldap_dns_service option
* sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir)
* ldap_uri is no longer mandatory for LDAP provider - the default is to
  use service discovery with no address set now. Ditto for krb5_kdcip
  and ipa_server

This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.

Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.

Previously, the option krb5_kpasswd was only available if
'chpass_provider = krb5' was specified explicitly. Now it will be
available also if 'auth_provider = krb5'.

This option was also missing from the IPA options, so I have added
it there as well

We had a hard-coded timeout of five seconds for DNS lookups in the
async resolver. This patch adds an option 'dns_resolver_timeout'
to specify this value (Default: 5)