Provide Kerberos over HTTP (MS-KKDCP)
    
    Add integration of python-kdcproxy into FreeIPA to support the MS
    Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
    client requests over HTTP and HTTPS.
    
    - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
      dependencies are already satisfied.
    - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
      cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
      present.
    - The installers and update create a new Apache config file
      /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
      /KdcProxy. The app is run inside its own WSGI daemon group with
      a different uid and gid than the webui.
    - A ExecStartPre script in httpd.service symlinks the config file to
      /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
    - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
      so that an existing config is not used. SetEnv from Apache config does
      not work here, because it doesn't set an OS env var.
    - python-kdcproxy is configured to *not* use DNS SRV lookups. The
      location of KDC and KPASSWD servers are read from /etc/krb5.conf.
    - The state of the service can be modified with two ldif files for
      ipa-ldap-updater. No CLI script is offered yet.
    
    https://www.freeipa.org/page/V4/KDC_Proxy
    
    https://fedorahosted.org/freeipa/ticket/4801
    
    Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
    Reviewed-By: Simo Sorce <ssorce@redhat.com>