Ticket #355 - winsync should not delete entry that appears to be out of scope
    
    https://fedorahosted.org/389/ticket/355
    Resolves: Ticket #355
    Bug Description: winsync should not delete entry that appears to be out of scope
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: There is a new winsync config attribute - winSyncMoveAction -
    this is the action to take on the DS side when the winsync finds an AD entry
    that has the same name/uid as a DS entry but the AD entry is out of the scope
    of the sync agreement (winsync has to search out of scope/subtree on AD to
    support deleted and moved entries).  In earlier versions of DS, these entries
    were ignored.  When DS was changed to support entry move/subtree rename, the
    winsync code was changed to delete entries moved out of scope.  The new
    winSyncMoveAction has 3 values:
    none - ignore moved entries (like older versions of DS)
    delete - delete DS entries when the AD entry moves out of scope - like current
             versions of DS
    unsync - new behavior - if the DS entry is currently synced with the AD entry
             this will cause the DS entry to be "unlinked" from the AD entry so
             that they will no longer be in sync
    The default value is "none" because we should not unexpectedly delete DS
    entries (principle of least astonishment).
    Another problem with winsync is that it allowed you to change the subtree and
    domain in the middle of a sync update - this can lead to a great deal of
    confusion if suddenly many entries are out of scope.  The fix is to "save"
    the changes in the entry, and apply those changes when the update is
    complete.
    Platforms tested: RHEL6 x86_64
    Flag Day: yes - new attribute, schema
    Doc impact: yes - new attribute, schema
    (cherry picked from commit 3206571b8ac8308482c20c3866f407079479b8e6)