Defer adding ipa-cifs-delegation-targets until the Updates phase.

It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.

https://fedorahosted.org/freeipa/ticket/2837

install/share/replica-s4u2proxy.ldif

@@ -2,9 +2,11 @@ dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: modify
 add: memberPrincipal
 memberPrincipal: HTTP/$FQDN@$REALM
--
-add: ipaAllowedTarget
-ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
+
+# ipa-cifs-delegation-targets needs to be an ipaAllowedTarget for HTTP
+# delegation but we don't add it here as an LDIF because this entry may
+# already exist from another replica, or previous install. If it is missing
+# then it will be caught by the update file 61-trusts-s4u2proxy.update
 
 dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: modify