For FreeIPA integration with Active Directory, we need to expose information about AD users and groups to legacy clients via LDAP. Currently slapi-nis plugin requests information from glibc's NSS API and while all requests are about SSSD-provided users and groups, the whole stack of modules from nsswitch.conf must be traversed.

When answering membership queries "(&(memberUid=user@ad.domain)(objectClass=posixGroup))", slapi-nis has to build full group entries for all groups a user is a member of. For large groups this also means pulling a lot of group members. When going through glibc's NSS API, for every request to SSSD there is also a request to nss_files which eventually causes dead locks because nss_files serializes own access to /etc/group and /etc/passwd which gets into a way for normal NSS requests from 389-ds process consisting of multiple threads.

As result, when AD groups contain several hundred or thousands members, it is easy to get nss_files to dead lock itself, visible as 100% CPU bound ns-slapd process.

Ideally we want to avoid hitting anything but SSSD with these queries because we already know that only SSSD can provide the requested information.

slapi-nis already uses sss_nss_getXXbyYY() API. We can use sss_nss_getorigbyname() as well but it only returns a restricted set of key:value pairs that is not enough to fully support slapi-nis use cases.

It would be good to have an extension of sss_nss_getXXbyXX() API that provides the same information as getpwnam_r(), getgrnam_r(), getgrgid_r(), getgroups calls from glibc's API.

Additionally, information about group membership and user membership in different groups would need to be cached in memory for such cases where getgroups() calls are used to populate membership information.