Add login role to daffy
use tls_certreq allow instead of "demand" that we have on all the other
machines, because daffy connects to the ldap server in provo, which is a
cluster address and has certificate mismatch
https://progress.opensuse.org/issues/25154