LDAP group find by CN can't distinguish between a group and a user

Zendesk issue: https://gitlab.zendesk.com/agent/tickets/39149

Look at the logs in the above Zendesk ticket. This customer had to set the group_base to be very broad - specifically, to the same as the base. Group sync searches for a group with CN ops. Turns out there is both a user and a group by this CN. The find by CN method takes the first entry it finds, regardless of objectclass, and tries to find members. Since the user object is found first it finds no members and continues on.

We may need to add an array of acceptable objectclasses to look for - group groupOfNames groupOfUniqueNames. Others? Since I'm sure there will always be edge-cases we probably need to expose it as a configuration option that defaults to something sane. There's also a strong likelihood that no matter what we do we will break someone.

cc/ @jacobvosmaer-gitlab fyi

Filtering by objectclass sounds reasonable. Do we need to support more than one?

We could also consider just exposing a 'group filter' configuration option.

Please don't forget posixGroup, but anyway best to make it configurable.

Same as https://gitlab.com/gitlab-org/gitlab-ee/issues/334 ?

mentioned in issue #334

Mentioned in ticket https://gitlab.zendesk.com/agent/tickets/71591

added customer label

changed milestone to %9.4