Add support for external group members

When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664

tests/test_xmlrpc/objectclasses.py

@@ -45,6 +45,8 @@ group = [
     u'ipaobject',
 ]
 
+externalgroup = group + [u'ipaexternalgroup']
+
 host = [
     u'ipasshhost',
     u'ipaSshGroupOfPubKeys',