Expand ldap search filters and ecs fixes

[clevesque]

Expand ldap search filters (user & group) to allow for any legal filter expression.

Older implementation assumed all ldap filters end with "={0}"

This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like (&(|(member={0})(member={1}))(objectClass=group)) Introduces attribute: auth_provider.ldap_search_filter.group obsoletes attribute: auth_provider.ldap_search_filter.member Signed-off-by: Chuck Levesque clevesque@cloudera.com

[clevesque]

Note: does not do any assertion that the string is legal, user must provide a valid expression.

Future work could include assertion on the filter string with regex, e.g. https://rgxdb.com/r/5VS2C5LM /^(\s((?:&|+|(?:!(?1))|[a-zA-Z][a-zA-Z0-9-][<>~]?=[^()])\s)\s*)$/ This expression supports a strict subset of the full grammar. This means that anything that matches will be a valid filter, but not all valid filters will match.

See RFC 2254.

[clevesque]

1) Added unnecessary svcs (rhel8) nm-cloud-setup.timer & nm-cloud-setup roles/prereqs/os/defaults/main.yml per ENG

2) Don't create linux accounts on ecs hosts from the list of Base Cluster accounts, we only need cloudera-scm on ecs hosts. roles/prereqs/user_accounts/tasks/main.yml

3) On ECS hosts only create file acls for cloduera-scm and not other base accounts. roles/security/tls_generate_csr/tasks/main.yml roles/security/tls_generate_csr/tasks/acls_ecs.yml

[Chaffelson]

@clevesque your branch here appears to have duplicated the commits from my Ranger fix, and also needs the DCO signing completed before we can merge please.