Comment 16 for bug 1626046

Robert, MOS OpenStack source repositories were always closed for people outside of Mirantis. On the other hand, OpenStack packages (specs) and dependencies repos are open. E.g.
https://review.fuel-infra.org/#/admin/projects/openstack-build/keystone-build
https://review.fuel-infra.org/#/admin/projects/packages/trusty/rabbitmq-server

But you may consume the resulting packages. If I am not mistaken, 9.3.0-3~u14.04+mos7 packages from the following mirror should contain the fix http://mirror.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2017-04-03-122420/pool/main/k/keystone/

Please note that the behaviour is not enabled by default, as enabling it opens a security hole. To enable it, you need to set [federation]/cache_group_membership_in_db=True in /etc/keystone/keystone.conf and restart the apache2 service. I will write a standalone comment describing the vulnerability and how to mitigate it.