sdap_fill_memberships: continue if a member is not foud in sysdb

https://fedorahosted.org/sssd/ticket/1755

sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:

If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.

The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,

1 files changed, 7 insertions, 3 deletions

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b82c157e5..dbb5037b8 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -217,10 +217,14 @@ static int sdap_fill_memberships(struct sysdb_attrs *group_attrs,
             ret = sdap_find_entry_by_origDN(el->values, ctx, domain,
                                             (char *)values[i].data,
                                             (char **)&el->values[j].data);
+            if (ret == ENOENT) {
+                /* member may be outside of the configured search bases
+                 * or out of scope of nesting limit */
+                DEBUG(SSSDBG_MINOR_FAILURE, ("Member [%s] was not found in "
+                      "cache. Is it out of scope?\n", (char *)values[i].data));
+                continue;
+            }
             if (ret != EOK) {
-                /* This should never return ENOENT
-                 * -> fail if it does
-                 */
                 goto done;
             }