The attached patch is a work in progress for
https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
I am sharing now to make the approach clear and solicit feedback.
It has been tested for server install, replica install (with and
without CA) and CA-replica install (all hosts running master+patch).
Migration from earlier versions and server/replica/CA install on a
CA-less deployment are not yet tested; these will be tested over
coming days and patch will be tweaked as necessary.
Commit message has a fair bit to say so I won't repeat here but let
me know your questions and comments.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code