emulated ldap enabled improperly handles updates

When tenant_enabled_emulation is set to true, update operations will fail with:

TYPE_OR_VALUE_EXISTS: {'info': 'modify/add: member: value #0 already exists', 'desc': 'Type or value exists'}

This is because during EnabledEmuMixIn.update, the object is checked for an enabled value. When it is true, the _add_enabled method is called. This does no checking, and assumes you want to add a new member attribute to your LDAP object. Since this is an update operation, it's possible the member attribute for that object already exists. A simple solution is something like:

diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index a8b4fda..2ec675e 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -496,19 +496,21 @@ class EnabledEmuMixIn(BaseLdap):
             return bool(enabled_value)

     def _add_enabled(self, object_id):
- conn = self.get_connection()
- modlist = [(ldap.MOD_ADD,
- 'member',
- [self._id_to_dn(object_id)])]
- try:
- conn.modify_s(self.enabled_emulation_dn, modlist)
- except ldap.NO_SUCH_OBJECT:
- attr_list = [('objectClass', ['groupOfNames']),
- ('member',
- [self._id_to_dn(object_id)])]
- if self.use_dumb_member:
- attr_list[1][1].append(self.dumb_member)
- conn.add_s(self.enabled_emulation_dn, attr_list)
+ enabled_value = self._get_enabled(object_id)
+ if not enabled_value:
+ conn = self.get_connection()
+ modlist = [(ldap.MOD_ADD,
+ 'member',
+ [self._id_to_dn(object_id)])]
+ try:
+ conn.modify_s(self.enabled_emulation_dn, modlist)
+ except ldap.NO_SUCH_OBJECT:
+ attr_list = [('objectClass', ['groupOfNames']),
+ ('member',
+ [self._id_to_dn(object_id)])]
+ if self.use_dumb_member:
+ attr_list[1][1].append(self.dumb_member)
+ conn.add_s(self.enabled_emulation_dn, attr_list)

     def _remove_enabled(self, object_id):
         conn = self.get_connection()

This way modify operation is attempted if the object already exists.