Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.

This patch also fixes default zonemgr value in help texts and man
pages.

https://fedorahosted.org/freeipa/ticket/2272

For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).

ticket 1634

This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.

https://fedorahosted.org/freeipa/ticket/1634

Let ipa-replica-prepare and ipa-replica-install work without
proper DNS records as records in /etc/hosts are sufficient for
DS replication.

  1) ipa-replica-prepare now just checks if the replica hostname
     is resolvable (DNS records are not required). It is now able
     to prepare a replica file even when the replica IP address is
     present in /etc/hosts only.
  2) ipa-replica-install is now able to proceed when the hostname
     is not resolvable. It uses an IP address passed in a new
     option --ip-address to create a record in /etc/hosts in the
     same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2139

Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.

This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.

https://fedorahosted.org/freeipa/ticket/1931

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
  when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908

There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.

To further improve man pages:

1) All man pages were changed to have the same header and top-center
   title to provide united look.

2) Few typos in man pages have been fixed

https://fedorahosted.org/freeipa/ticket/1687

Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch yes";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826

Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.

ticket 1570