Validate externalhost (when added by --addattr/--setattr)

Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649

ipalib/plugins/baseldap.py

@@ -157,9 +157,6 @@ global_output_params = (
     Str('memberofindirect_hbacrule?',
         label='Indirect Member of HBAC rule',
     ),
-    Str('externalhost?',
-        label=_('External host'),
-    ),
     Str('sourcehost',
         label=_('Failed source hosts/hostgroups'),
     ),
@@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value):
 
     return entry_attrs
 
+
+def validate_externalhost(ugettext, hostname):
+    try:
+        validate_hostname(hostname, check_fqdn=False, allow_underscore=True)
+    except ValueError, e:
+        return unicode(e)
+
+
+external_host_param = Str('externalhost*', validate_externalhost,
+        label=_('External host'),
+        flags=['no_create', 'no_update', 'no_search'],
+)
+
+
 def add_external_pre_callback(membertype, ldap, dn, keys, options):
     """
     Pre callback to validate external members.

ipalib/plugins/hbacrule.py

@@ -219,6 +219,7 @@ class hbacrule(LDAPObject):
             label=_('Service Groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        external_host_param,
     )
 
 api.register(hbacrule)

ipalib/plugins/netgroup.py

@@ -146,6 +146,7 @@ class netgroup(LDAPObject):
             doc=_('Host category the rule applies to'),
             values=(u'all', ),
         ),
+        external_host_param,
     )
 
 api.register(netgroup)

ipalib/plugins/sudorule.py

@@ -217,6 +217,7 @@ class sudorule(LDAPObject):
             doc=_('Run with the gid of a specified POSIX group'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        external_host_param,
     )
 
     order_not_unique_msg = _(