The problem was that the user_enabled_default is a string (defined in keystone.common.config), but then the code was using it like an int (with a bitwise-and operator).
Also, the unit tests weren't actually testing the user_enabled_mask case; the didn't reload the backend so was running with the default config. In addition, the test for user_enabled_mask set user_enabled_default to an int and not a string as it would be if it was read from the config file.
the response from OpenLdap wouldn't include the enabled. I didn't really figure this out but it was easy to recreate. I couldn't figure out a way to test it cleanly because the test is loading the data twice with different configs.
The problem was that the user_enabled_ default is a string (defined in keystone. common. config) , but then the code was using it like an int (with a bitwise-and operator).
Also, the unit tests weren't actually testing the user_enabled_mask case; the didn't reload the backend so was running with the default config. In addition, the test for user_enabled_mask set user_enabled_ default to an int and not a string as it would be if it was read from the config file.
Then for some reason when running with
[ldap] attribute = employeeType default = 512
user_enabled_
user_enabled_mask = 2
user_enabled_
the response from OpenLdap wouldn't include the enabled. I didn't really figure this out but it was easy to recreate. I couldn't figure out a way to test it cleanly because the test is loading the data twice with different configs.