kadm5: move password quality checks out of daemons and into libkadm5

Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.

doc/setup.texi

@@ -472,12 +472,14 @@ number, special characters.
 
 @item enforce_on_admin_set
 
-The enforce_on_admin_set check validates that administrative password changes
-via kpasswdd or kadmind are also subject to the password policy. Note that
-@command{kadmin} in local mode can still bypass these. An administrative
-password change is one where the identity of the authenticating principal
-differs from the subject of the password change. Default value if not given is
-true.
+The enforce_on_admin_set check subjects administrative password updates to the
+password policy. An administrative password update is a create principal or
+change password request via @command{kadmind}, or a set password request via
+@command{kpasswdd}. (A set password request is one where the authenticating
+principal differs from the principal whose password is being changed.) Password
+policies are always ignored if the authenticating principal is the kadmin
+service itself, for example when running @command{kadmin} in local mode. The
+default value for enforce_on_admin_set if not given is true.
 
 @end itemize