ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
    
    Password changes performed by cn=Directory Manager are excluded from
    password policy checks according to [1]. This is correctly handled by
    ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
    non-kerberos accounts were not excluded from the check.
    
    As result, password updates for PKI CA admin account in o=ipaca were
    failing if a password policy does not allow a password reuse. We are
    re-setting the password for PKI CA admin in ipa-replica-prepare in case
    the original directory manager's password was updated since creation of
    `cacert.p12`.
    
    Do password policy check for non-Kerberos accounts only if it was set by
    a regular user or admin. Changes performed by a cn=Directory Manager and
    passsync managers should be excluded from the policy check.
    
    Fixes: https://pagure.io/freeipa/issue/7181
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    
    [1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>