slapi-nis: add support to resolve external members of IPA groups
    
    FreeIPA allows to include external (non-LDAP) members into POSIX groups.
    To define external members, an attribute ipaExternalMember is set to
    the list of references to external members. Currently both FreeIPA and
    SSSD support only references done with SIDs (Security Identifiers) from
    the forests trusted by FreeIPA.
    
    Resolving external members of FreeIPA groups requires resolving SIDs to
    user and group names. However, since this resolution is already
    implemented by SSSD for the group in question, slapi-nis can use the
    fact that there is non-empty ipaExternalMember attribute's value to
    trigger lookup of the FreeIPA group via SSSD and then copy over
    memberUid attribute value set.
    
    This logic requires that ipaExternalMember attribute value is present in
    the entry to be put into the map cache. Thus, an additional
    configuration is needed for the groups container:
    
    schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
    
    Note that resolving external members of IPA groups requires to use
    version of slapi-nis that populates the map cache after LDAP server
    startup, as SSSD needs to talk back to the LDAP server in the process of
    resolving external group members and that is not possible at the time
    when slapi-nis plugin starts up as the LDAP server is not yet listenting
    for incoming connections at that point.