kadm5: move password quality checks out of daemons and into libkadm5

Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.

lib/kadm5/acl.c

@@ -141,6 +141,21 @@ fetch_acl (kadm5_server_context *context,
     return ret;
 }
 
+krb5_boolean
+_kadm5_is_kadmin_service_p(kadm5_server_context *context)
+{
+    krb5_boolean ret;
+    krb5_principal princ;
+
+    if (krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ) != 0)
+	return FALSE;
+
+    ret = krb5_principal_compare(context->context, context->caller, princ);
+    krb5_free_principal(context->context, princ);
+
+    return ret;
+}
+
 /*
  * set global acl flags in `context' for the current caller.
  * return 0 on success or an error
@@ -149,15 +164,7 @@ fetch_acl (kadm5_server_context *context,
 kadm5_ret_t
 _kadm5_acl_init(kadm5_server_context *context)
 {
-    krb5_principal princ;
-    krb5_error_code ret;
-
-    ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
-    if (ret)
-	return ret;
-    ret = krb5_principal_compare(context->context, context->caller, princ);
-    krb5_free_principal(context->context, princ);
-    if(ret != 0) {
+    if (_kadm5_is_kadmin_service_p(context)) {
 	context->acl_flags = KADM5_PRIV_ALL;
 	return 0;
     }