idoverrides: allow AD users to be members of IPA groups and roles

[abbra]

Merge freeipa-adusers-admins plugin code from https://github.com/abbra/freeipa-adusers-admins

This extension of ID overrides allows to add them to IPA groups and roles to give them access to IPA management.

As result, Active Directory users can manage FreeIPA resources if these groups are part of appropriate roles. For example, adding an Active Directory user ID override as a member of 'admins' group would make it equivalent to built-in FreeIPA 'admin' user.

The code works by allowing user ID overrides from the Default Trust View in FreeIPA to be members of IdM groups and roles. User ID overrides in the Default Trust View can only be created for trusted Active Directory users. When Active Directory user authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos principal is automatically mapped to the user's ID override in the Default Trust View. LDAP server's access control plugin uses membership information of the corresponding LDAP entry to decide how access can be allowed.

Web UI part of this commit allows ID overridden users to see full management console instead of a self-service. It also allows to add ID overrides to the groups.

Fixes: https://pagure.io/freeipa/issue/7255 See also: https://bugzilla.redhat.com/show_bug.cgi?id=1651577