This problem occurs during run time. All I have to do to reproduce this problem is to attempt to get a project scoped token for a user who is defined in the LDAP domain but not the SQL domain. To get a token the Keystone code must authenticate the user against the read-only LDAP domain and then retrieve the project/role information from the Keystone SQL domain. The code fails to go back to the LDAP server for the various "get_user" calls.
This problem occurs during run time. All I have to do to reproduce this problem is to attempt to get a project scoped token for a user who is defined in the LDAP domain but not the SQL domain. To get a token the Keystone code must authenticate the user against the read-only LDAP domain and then retrieve the project/role information from the Keystone SQL domain. The code fails to go back to the LDAP server for the various "get_user" calls.