I don’t think you can do any better than retrieving each member user’s information:
groupinfo=$groupinfo="$(getent group xyz)" groupinfo="${groupinfo#*:*:}" gid="${groupinfo%%:*}" members="${groupinfo##*:}" (IFS=,; set -f; for member in $members; do getent passwd $member | grep -E "([^:]+:){3}$gid:" done) If your LDAP server allows you to enumerate all users with getent passwd, you could parse that instead after determining the gid:
groupinfo=$groupinfo="$(getent group xyz)" groupinfo="${groupinfo#*:*:}" gid="${groupinfo%%:*}" getent passwd | grep -E "([^:]+:){3}$gid:"