[WIP] faster group membership resolution in AD

This is a follow up to !215 (closed) after recent versions of GitLab changed the way LDAP group sync works.

The new implementation is still not working acceptably in our environment. The LDAP query used to recursively evaluate all group members takes 70-80 seconds per group (it seems to increase with the total number of user accounts in the Active Directory). In any case, it never completes within the default 10s timeout, and extending the timeout would result in extremely slow LDAP group sync.

This MR proposes an alternative method to resolve group membership, which is much faster in large AD environments (but probably a bit slower in small ones). The method is to recursively walk the nested groups. In our environment, with this patch GitLab can sync 1000 LdapGroupLinks in about 300 sec, i.e. 250 times faster.

In its current state, it does not behave exactly as the upstream implementation: nested groups outside the group_base path are currently ignored, but this is just a matter of search scope. Feedback on the approach would be appreciated.