[SSSD] [PATCH] sdap: improve filtering of multiple results in GC lookups

Hi, this patch fixes and issue during initgroups in AD forests. Please see the commit message for details. To reproduce this you can create a new user outside of CN=Users on the forest root. The new user can be created in an existing container or in a new OU container. Most important is that it is not a child of CN=Users. In a child domain (it must be a child, domains with a different base won't trigger the issue) create a user with the same name. With this setup 'id user(a)forest.root' will not return the complete list of group the user is a member of and the patch should fix this. bye, Sumit