adtrust: optimize forest root LDAP filter
`ipa trust-find' command should only show trusted forest root domains
The child domains should be visible via
ipa trustdomain-find forest.root
The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.
Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.
Fixes https://fedorahosted.org/freeipa/ticket/5942
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>