adtrust: optimize forest root LDAP filter
    
    `ipa trust-find' command should only show trusted forest root domains
    
    The child domains should be visible via
    
       ipa trustdomain-find forest.root
    
    The difference between forest root (or external domain) and child
    domains is that root domain gets ipaIDObject class to allow assigning a
    POSIX ID to the object. This POSIX ID is used by Samba when an Active
    Directory domain controller connects as forest trusted domain object.
    
    Child domains can only talk to IPA via forest root domain, thus they
    don't need POSIX ID for their TDOs. This allows us a way to
    differentiate objects for the purpose of 'trust-find' /
    'trustdomain-find' commands.
    
    Fixes https://fedorahosted.org/freeipa/ticket/5942
    
    Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>