https://fedorahosted.org/sssd/ticket/2790
This is just a partial fix.
If a group contains member which doesn't have overrideDN specified, we fail to resolve membership with LOCAL views.
There is a bigger issue when group contains ghost members, we do not apply overrides and just ignore the group. As code says, this is expected. Sumit, do you remember why it is this way?
sysdb_getgrgid_with_views:
if (el != NULL && el->num_values != 0) { DEBUG(SSSDBG_TRACE_ALL, "Group object [%s], contains ghost entries which must be " \ "resolved before overrides can be applied.\n", ldb_dn_get_linearized(orig_obj->msgs[0]->dn)); ret = ENOENT; goto done; }
As I see it, we can do: 1) If group contains ghosts and memberuid, resolve memberuid 2) For each ghost user either: a) Ignore b) Put the name in c) Try to find overrideObjectDN and apply possible name override, then put the name in