Description of problem:

With the IPA NIS Listener enabled, I cannot see nested netgroups by running the
ypcat command.

Nested/member netgroups appear to be stored in the member attribute:

# test, ng, alt, example.com
dn: cn=test,cn=ng,cn=alt,dc=example,dc=com
objectClass: ipaobject
objectClass: ipaassociation
objectClass: ipanisnetgroup
cn: test
description: test
nisDomainName: example.com
ipaUniqueID: 7a5b95f4-51ca-11e1-8dcf-5254008ea76d
member: cn=test1,cn=ng,cn=alt,dc=example,dc=com

# test1, ng, alt, example.com
dn: cn=test1,cn=ng,cn=alt,dc=example,dc=com
objectClass: ipaobject
objectClass: ipaassociation
objectClass: ipanisnetgroup
cn: test1
description: test1
nisDomainName: example.com
ipaUniqueID: 7ce62078-51ca-11e1-b7f9-5254008ea76d
memberUser: uid=admin,cn=users,cn=accounts,dc=example,dc=com
memberOf: cn=test,cn=ng,cn=alt,dc=example,dc=com


Version-Release number of selected component (if applicable):

ipa-admintools-2.2.0-101.20120206T0930zgitc080c65.el6.x86_64
ipa-server-2.2.0-101.20120206T0930zgitc080c65.el6.x86_64
389-ds-base-1.2.9.16-1.el6.x86_64
389-ds-base-libs-1.2.9.16-1.el6.x86_64


How reproducible:

always

Steps to Reproduce:
1. <setup IPA server>
2. kinit admin
3. ipa netgroup-add test1 --desc=test1
4. ipa netgroup-add-member test1 --users=admin
5. ipa netgroup-add test --desc=test
6. ipa netgroup-add-member test1 --netgroups=test1
7. ipa-compat-manage enable
8. ipa-nis-manage enable
9. service rpcbind restart
10. service dirsrv restart
11. yum install yp-tools
12. ypcat -d <DOMAIN> -h localhost -k netgroup

Actual results:

You see test as an empty netgroup:

# ypcat -d $DOMAIN -h localhost -k netgroup
test
test1 (-,admin,example.com)


Expected results:

I'd expect to see the netgroup test1 listed as a member of test like this:

# ypcat -d $DOMAIN -h localhost -k netgroup
test test1
test1 (-,admin,example.com)

Additional info: