Description of problem

Nested groups are not unrolled during the first enumeration causing
authentication of the users in nested group to fail, however authentication
succeeds after the second enumeration.

Version-Release number of selected component

sssd-1.5.0-2.el6.x86_64

How reproducible

Always

Steps to Reproduce

DS setup:
1. Server setup: (make sure all users have primary group defined)
- !SimpleGroup1 => simpleUserA simpleUserB simpleGroup3
- !SimpleGroup2 => simpleUserC simpleUserD
- !SimpleGroup3 => simpleUserE

1. Configure SSSD with "enumerate = true". See additional info for relevant
   configuration.

2. restart sssd clearing cache.

3. Try authenticating with simpleuserE (which is a memberOf simplegroup3 which
   is a memberOf simplegroup1)

Actual results

Authentication fails initially and succeeds after the second enumeration.

Expected results

Authentication should succeed after the first enumeration.

Additional info

1. Relevant sssd configuration:

   [domain/LDAP]
   id_provider = ldap
   auth_provider = ldap
   ldap_uri = ldaps://rhdsserver.example.com:636
   ldap_search_base = dc=example,dc=com
   ldap_tls_reqcert = demand
   ldap_tls_cacertdir = /etc/openldap/cacerts
   ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
   ldap_schema = rfc2307bis

   cache_credentials = true
   enumerate = true
   debug_level = 9

   access_provider = simple
   simple_allow_groups = simplegroup1

Proposed Solution

Currently our enumeration logic makes two passes: In the first pass, it creates
all of the users in the cache. In the second pass, it creates all of the
groups.

We need to split the second pass into a second and third pass, so that we have:
- Pass 1: Create users
- Pass 2: Create empty groups
- Pass 3: Populate group members

The reason some nested groups were not unrolled is that the order of their
creation would matter. If they weren't already in the sysdb when another group
wanted to add them as a member, they would be overlooked.