LDAP/AD: do not resolve group members during tokenGroups request
    
    During initgroups requests we try to avoid to resolve the complete
    member list of groups if possible, e.g. if there are no nested groups.
    The tokenGroups LDAP lookup return the complete list of memberships for
    a user hence it is not necessary lookup the other group member and
    un-roll nested groups. With this patch only the group entry is looked up
    and saved as incomplete group to the cache.
    
    This is achieved by adding a new boolean parameter no_members to
    groups_get_send() and sdap_get_groups_send(). The difference to config
    options like ldap_group_nesting_level = 0 or ignore_group_members is
    that if no_members is set to true groups which are missing in the cache
    are created a incomplete groups. As a result a request to lookup this
    group will trigger a new LDAP request to resolve the group completely.
    This way no information is ignored but the time needed to read all data
    is better distributed between different requests.
    
    https://fedorahosted.org/sssd/ticket/2601
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>