commit 8d00d7c on 5/23/2012 added a new test for enforcing sizelimits. The expect value for memberindirect in the 'Search for permissions by attr with a limit of 1 (truncated)' test is incorrect. The HBAC Administrator should not be an indirect member, it's a direct member.

'memberindirect': [u'cn=hbac administrator,cn=privileges,cn=pbac,%s' % api.env.basedn, u'cn=it security specialist,cn=roles,cn=accounts,%s' % api.env.basedn],

It's failing because of this logic in ldap2 get_members

        for e in results:
            if unicode(e[0]) not in real_members and unicode(e[0]) not in entries:
                if membertype == MEMBERS_INDIRECT:
                    entries.append(e[0])

because real_members (i.e. direct members) is

cn=HBAC Administrator,cn=privileges,cn=pbac

and results contains:

'cn=hbac administrator,cn=privileges,cn=pbac

Note this is only a difference in case. It should have seen the real_member was already present and not added it, but the test failed because of case sensitivity.

This showed up after the DN conversion work which is case-preserving but uses case-insenstive comparison which correctly prevented adding a direct member to an indirect member list. The fix is to remove the extraneous indirect member from the expected result.