Ticket #47327 - error syncing group if group member user is not synced
Bug description: Windows Sync synchronizes member attributes
in a group entry if the member entry itself is synchronized.
The entries in the sync scope are basically to be synchronized.
But there is an exception such as a container in the scope is
not synchronized due to the objecttype constraints. Such an
unsync'ed entry could have users in it. Users are the target
of Windows Sync. But since the parent container is not synch-
ronized, the users in the container are not, neither. If a
group contains such special user as a member, synchronization
failed there and the other normal members are failed to get
synchronized.
Fix description: Windows Sync has a helper function
is_subject_of_agreement_remote, which checks if the entry is
in the scope to be synchronized. This patch adds the check
if the checking entry's parent locally exists in the DS. If
it does not exist, it considers the entry is out of scope.
AD strictly checks if the entry exists prior to adding it
to a group entry as a member. That is, a member to be added
is supposed to be in the server, as well as its parent is.
With this change, the AD user which is not synchronized to
the DS is just skipped to add to the group in the DS in the
same manner as an user out of scope is.
https://fedorahosted.org/389/ticket/47327
Reviewed by Rich (Thanks!!)
(cherry picked from commit 9b0834c07888aa1ee88b52141460a3b4e80d1962)