Keystone ldap driver should allow for a mechanism to propogate ldap messages when needed

The ldap driver overwrites any error messages seen during binding with User Name/Password invalid.
Need a mechanism to allow for propagating the messages further based on some configuration.

Example, ldap may be configured to lock an account on multiple auth failures, in such case the user should know his account is locked.

I did this by modifying code as follows.

"/usr/lib/python2.6/site-packages/keystone/auth/plugins/password.py" - changes from line 125 to 126

115 try:
116 self.identity_api.authenticate(
117 context,
118 user_id=user_info.user_id,
119 password=user_info.password,
120 domain_scope=user_info.domain_id)
121 except AssertionError as e:
122 # authentication failed because of invalid username or password
123 msg = _('Invalid username or password')
124
125 if str(e) == "Error, Account is locked":
126 msg = _('Error, Account is locked')

 vim /usr/lib/python2.6/site-packages/keystone/identity/backends/ldap.py - changes from line 67 to 69

 53
 54 def authenticate(self, user_id, password):
 55 try:
 56 user_ref = self._get_user(user_id)
 57 except exception.UserNotFound:
 58 raise AssertionError(_('Invalid user / password'))
 59 if not user_id or not password:
 60 raise AssertionError(_('Invalid user / password'))
 61 conn = None
 62 try:
 63 conn = self.user.get_connection(self.user._id_to_dn(user_id),
 64 password)
 65 if not conn:
 66 raise AssertionError(_('Invalid user / password'))
 67 except ldap.UNWILLING_TO_PERFORM as e:
 68 raise AssertionError(e[0]['info'])
 69 except Exception:
 70 raise AssertionError(_('Invalid user / password'))
 71 finally:
 72 if conn:
 73 conn.unbind_s()
 74 return identity.filter_user(user_ref)