identity: Add GSSAPI suport for FreeIPA authentication (#52031)

* identity: Add GSSAPI suport for FreeIPA authentication

This enables the usage of GSSAPI for authentication, instead of having
to pass the username and password as part of the playbook run.

If there is GSSAPI support, this makes the password optional, and will
be able to use the KRB5_CLIENT_KTNAME or the KRB5CCNAME environment
variables; which are standard when using kerberos authentication.

Note that this depends on the urllib_gssapi library, and will only
enable this if that library is available.

* identity: Add documentation for GSSAPI authentication for FreeIPA

This documentation describes how to use GSSAPI authentication with the
IPA identity modules.

* identity: Add changelog for GSSAPI support for IPA

This adds the changelog entry for the GSSAPI authentication feature for
the IPA identity module.

lib/ansible/plugins/doc_fragments/ipa.py

@@ -34,9 +34,11 @@ options:
     description:
     - Password of administrative user.
     - If the value is not specified in the task, the value of environment variable C(IPA_PASS) will be used instead.
-    - If both the environment variable C(IPA_PASS) and the value are not specified in the task, then default value is set.
+    - Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA.
+    - If the environment variable C(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server.
+    - If the environment variable C(KRB5_CLIENT_KTNAME) is available, and C(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate.
+    - If GSSAPI is not available, the usage of 'ipa_pass' is required.
     - 'Environment variable fallback mechanism is added in version 2.5.'
-    required: true
   ipa_prot:
     description:
     - Protocol used by IPA server.