Create base entry on external configuration store during setup

[vharseko]

Summary

OpenAM could not be installed against an external OpenDJ when the base DN
(root suffix, e.g. dc=openam,dc=example,dc=org) had not been created in advance.
Installation only succeeded when the directory was started with the OpenDJ
--addBaseEntry option (the ADD_BASE_ENTRY environment variable in the
OpenDJ Docker image).

This PR makes OpenAM create the base entry itself when it is missing, mirroring
the behaviour of the embedded configuration store (which creates the suffix via
openam_suffix.ldif). The --addBaseEntry / ADD_BASE_ENTRY workaround is no
longer required.

Problem

During setup against an external store:

• AMSetupServlet.setupSMDatastore() only loaded schema/indexes (dsSmsSchema)
  but never created the root suffix.
• The setup wizard validation (Step3.validateSMHost()) reported an error when
  the suffix was absent, leaving the Next button disabled.
• The install-time validation (ServicesDefaultValues.setServiceConfigValues())
  failed with configurator.invalidsuffix when the suffix did not exist.

As a result the only way to proceed was to pre-create the base DN on the
directory server.

Changes

Product code (openam-core)

• AMSetupDSConfig — added createBaseEntry(boolean ssl):
  • returns early when the suffix already exists (existence check),
  • derives the objectClass from the RDN naming attribute
    (dc → domain, o → organization, ou → organizationalUnit,
    otherwise extensibleObject),
  • is idempotent — handles ENTRY_ALREADY_EXISTS,
  • reports progress via SetupProgress and logs/raises ConfiguratorException
    on real failures.
• AMSetupServlet.writeSchemaFiles() — calls createBaseEntry() before
  loading schema files for an external (SMS_DS_DATASTORE) configuration store.
• ServicesDefaultValues.setServiceConfigValues() — creates the base entry
  instead of failing with configurator.invalidsuffix when the suffix is
  missing; only fails if creation does not result in a reachable suffix.
• Step3.validateSMHost() (setup wizard) — treats a missing root suffix
  (NO_SUCH_OBJECT / EntryNotFoundException) as valid so the Next button
  is enabled; only real connection/authentication errors block progress.

Tests (openam-server)

• IT_SetupWithOpenDJ — integration tests covering both scenarios against a
  Testcontainers OpenDJ:
  • testSetupWithOpendj — external OpenDJ without a pre-created base DN
    (OpenAM creates the base entry),
  • testSetupWithOpendjAddBaseEntry — external OpenDJ with a pre-created
    base DN (ADD_BASE_ENTRY=--addBaseEntry).
• pom.xml — added a separate /am2 webapp context (an OpenAM instance can
  only be configured once per webapp), raised the Tomcat heap to -Xmx2g, and
  extended container startup / install timeouts.

Behaviour

Scenario	Before	After
External OpenDJ, base DN pre-created (--addBaseEntry)	✅ works	✅ works
External OpenDJ, base DN not created	❌ fails	✅ OpenAM creates the base entry
Embedded OpenDJ	✅ works (unchanged)	✅ works (unchanged)

Backward compatibility

No behavioural change for existing deployments where the base DN already exists
or --addBaseEntry is used — createBaseEntry() is a no-op in those cases.

Testing

• IT_SetupWithOpenDJ — both new tests pass (with and without ADD_BASE_ENTRY).
• Full integration suite: Tests run: 3, Failures: 0, Errors: 0, Skipped: 0 —
  BUILD SUCCESS.