Validate DN & RDN parameters for migrate command

Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.

ipalib/util.py

@@ -31,6 +31,7 @@ from weakref import WeakKeyDictionary
 
 from ipalib import errors
 from ipalib.text import _
+from ipalib.dn import DN, RDN
 from ipapython import dnsclient
 from ipapython.ipautil import decode_ssh_pubkey
 
@@ -484,3 +485,17 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')):
     policy += ";"
 
     return policy
+
+def validate_rdn_param(ugettext, value):
+    try:
+        rdn = RDN(value)
+    except Exception, e:
+        return str(e)
+    return None
+
+def validate_dn_param(ugettext, value):
+    try:
+        rdn = DN(value)
+    except Exception, e:
+        return str(e)
+    return None