Fix indirect member calculation

Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.

So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.

I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.

This also prevents duplicate indirect users and looping on circular
membership.

ticket https://fedorahosted.org/freeipa/ticket/1273

ipaserver/plugins/ldap2.py

@@ -943,14 +943,21 @@ class ldap2(CrudBackend, Encoder):
         # Verify group membership
 
         results = []
-        for member in members:
-            try:
-                (result, truncated) = self.find_entries(searchfilter, attr_list,
-                    member, time_limit=time_limit,
-                    size_limit=size_limit, normalize=normalize)
-                results.append(list(result[0]))
-            except errors.NotFound:
-                pass
+        if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT:
+            checkmembers = copy.deepcopy(members)
+            for member in checkmembers:
+                try:
+                    (result, truncated) = self.find_entries(searchfilter,
+                        attr_list, member, time_limit=time_limit,
+                        size_limit=size_limit, normalize=normalize)
+                    results.append(list(result[0]))
+                    for m in result[0][1].get('member', []):
+                        # This member may contain other members, add it to our
+                        # candidate list
+                        if m not in checkmembers:
+                            checkmembers.append(m)
+                except errors.NotFound:
+                    pass
 
         if membertype == MEMBERS_ALL:
             entries = []
@@ -969,7 +976,7 @@ class ldap2(CrudBackend, Encoder):
 
         entries = []
         for e in results:
-            if unicode(e[0]) not in real_members:
+            if unicode(e[0]) not in real_members and unicode(e[0]) not in entries:
                 if membertype == MEMBERS_INDIRECT:
                     entries.append(e[0])
             else: