Comment 2 for bug 1658641

Thank you Lance, that's very helpful and pretty much what I expected.

Looking at the existing documentation of deleting users[1], it would seem that purging specific Local IDs (of users) using keystone-manage is one way to go. Alternatively, purge the entire domain and repopulate the domain right afterwards.

| While keystone will dynamically maintain the identity mapping, including
| removing entries when entities are deleted via the keystone, for those
| entities in backends that are managed outside of keystone (e.g. a read-only
| LDAP), keystone will not know if entities have been deleted and hence will
| continue to carry stale identity mappings in its table. While benign,
| keystone provides an ability for operators to purge the mapping table of such
| stale entries using the keystone-manage command, for example:
|
| $ keystone-manage mapping_purge --domain-name DOMAINA --local-id <email address hidden>

Looking at the populate function however, it does not seem to support populating only specific entries [2]. Would it be ok to run a full repopulate even after only purging specific entries? Or would they be regenerated automatically?

I think that only minor clarifications are needed in the documentation as it is already quite good. It could possibly underline that any changes to DNs for already mapped entities would break the mapping, not just deleting entities. Depending on how you suggest to repopulate purged specific entries, maybe also some words about that if you feel it's necessary.

Suppose this is a bug for python-keystoneclient, but it would also be nice if it was able to still list the users in a project even if one or more users have invalid mappings. Currently it breaks ungracefully, even if it's able to request information about most users.

[1]: http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
[2]: https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/cmd/cli.py#L1239