ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
    
    Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
    authdata is no longer generated. However, on krb5 versions prior to
    1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
    constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
    requirement is not needed, because the PAC signatures are already
    fulfilling this role.
    
    CentOS and RHEL downstream releases of krb5 will include the
    "optional_ad_signedpath" KDB string attribute allowing to disable the
    AD-SIGNEDPATH requirement in case the PAC is present.
    
    This commit sets the "optional_ad_signedpath" string attribute to "true"
    systematically on the TGS principal if the database abstract layer (DAL)
    of krb5 is version 8 or older (prior to krb5 1.20).
    
    Fixes: https://pagure.io/freeipa/issue/9448
    
    Signed-off-by: Julien Rische <jrische@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>