ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
    
    When authentication indicators were introduced in 2016, ipa-pwd-extop
    plugin gained ability to reject LDAP BIND when an LDAP client insists
    the authentication must use an OTP token. This is used by ipa-otpd to
    ensure Kerberos authentication using OTP method is done with at least
    two factors (the token and the password).
    
    This enfrocement is only possible when an LDAP client sends the LDAP
    control. There are cases when LDAP clients cannot be configured to send
    a custom LDAP control during BIND operation. For these clients an LDAP
    BIND against an account that only has password and no valid token would
    succeed even if admins intend it to fail.
    
    Ability to do LDAP BIND without a token was added to allow users to add
    their own OTP tokens securely. If administrators require full
    enforcement over LDAP BIND, it is cannot be achieved with LDAP without
    sending the LDAP control to do so.
    
    Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
    prevent LDAP BIND with a password only if user is required to have OTP
    tokens. With this configuration enabled, it will be not possible for
    users to add OTP token if one is missing, thus ensuring no user can
    authenticate without OTP and admins will have to add initial OTP tokens
    to users explicitly.
    
    Fixes: https://pagure.io/freeipa/issue/5169
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>