service delegation: allow to add and remove host principals
    
    Service delegation rules and targets deal with Kerberos principals.
    As FreeIPA has separate service objects for hosts and Kerberos services,
    it is not possible to specify host principal in the service delegation
    rule or a target because the code assumes it always operates on Kerberos
    service objects.
    
    Simplify the code to add and remove members from delegation rules and
    targets. New code looks up a name of the principal in cn=accounts,$BASEDN
    as a krbPrincipalName attribute of an object with krbPrincipalAux object
    class. This search path is optimized already for Kerberos KDC driver.
    
    To support host principals, the specified principal name is checked to
    have only one component (a host name). Service principals have more than
    one component, typically service name and a host name, separated by '/'
    sign. If the principal name has only one component, the name is
    prepended with 'host/' to be able to find a host principal.
    
    The logic described above allows to capture also aliases of both
    Kerberos service and host principals. Additional check was added to
    allow specifying single-component aliases ending with '$' sign. These
    are typically used for Active Directory-related services like databases
    or file services.
    
    RN: service delegation rules and targets now allow to specify hosts as
    RN: a rule or a target's member principal.
    
    Fixes: https://pagure.io/freeipa/issue/8289
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>