ipa-extdom-extop: refactor nsswitch operations
    
    Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
    of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
    
    Standard POSIX nsswitch API has no way to cancel requests which may
    cause ipa-extdom-extop requests to hang far too long and potentially
    exhaust LDAP server workers. In addition, glibc nsswitch API iterates
    through all nsswitch modules one by one and with multiple parallel
    requests a lock up may happen in an unrelated nsswitch module like
    nss_files.so.2.
    
    A solution to the latter issue is to directly load nss_sss.so.2 plugin
    and utilize it. This, however, does not solve a problem with lack of
    cancellable API.
    
    With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
    nsswitch API that is directly integrated with SSSD client side machinery
    used by nss_sss.so.2. As result, this API can be used instead of loading
    nss_sss.so.2 directly.
    
    To support older SSSD version, both direct loading of nss_sss.so.2 and
    new timeout-enabled API are supported by this changeset. An API to
    abstract both is designed to be a mix between internal glibc nsswitch
    API and external nsswitch API that libsss_nss_idmap mimics. API does not
    expose per-call timeout. Instead, it allows to set a timeout per
    nsswitch operation context to reduce requirements on information
    a caller has to maintain.
    
    A choice which API to use is made at configure time.
    
    In order to test the API, a cmocka test is updated to explicitly load
    nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
    depend on availablility of SSSD, predictable testing would not be
    possible without it otherwise. Also, cmocka test does not use
    nss_wrapper anymore because nss_wrapper overrides higher level glibc
    nsswitch API while we are loading an individual nsswitch module
    directly.
    
    As result, cmocka test overrides fopen() call used by nss_files.so.2 to
    load /etc/passwd and /etc/group. An overridden version changes paths to
    /etc/passwd and /etc/group to a local test_data/passwd and
    test_data/group. This way we can continue testing a backend API for
    ipa-extdom-extop with the same data as with nss_wrapper.
    
    Fixes https://pagure.io/freeipa/issue/5464
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Simo Sorce <ssorce@redhat.com>
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>