This may not help you immediately because it appears to be something that was added in Mitaka but see the group_members_are_ids option in keystone.conf:

# If the members of the group objectclass are user IDs rather than DNs, set
# this to true. This is the case when using posixGroup as the group objectclass
# and OpenDirectory. (boolean value)
#group_members_are_ids = false

I had the same problem as you and this option fixed that for me.