Comment 3 for bug 1658641

I did some digging and this is what I found. The `keystone-manage mapping_populate` command is simply a wrapper that makes a call to list all users [0], since the responsibility to map local and public ID falls within the various layers of the identity API. `keystone-manage` only passes the domain ID of the domain to populate, which in turn is passed to the identity APIs list users method [1]. This is all pretty straight forward, and before we exit that method, we have a list of references [2] from LDAP (in the multi-domain case). This is passed to _set_domain_id_and_mapping() [3], which handles parsing each entity in the list. At the same time, it looks up all current id_mappings (one should exist for every user) and compares them to the list of existing entities. If a reference, recently pulled from LDAP, matches a mapping from the id_mapping table, we pull the public id from the id_mapping and update the reference [4]. At this point, any entity that has already been mapped has its corresponding public ID. Then we make another pass through the list to populate any public ID for entities that haven't been mapped (i.e. these would be the ones that you just explicitly removed using the `keystone-manage mapping_purge`` command) [5][6]. If there isn't a public ID in the entity, we will go ahead and create one from attributes [7].

So, to answer your question. You should be able to remove explicit mappings with the ``keystone-manage mapping_purge`` command, and when you go to repopulate them, existing reference should maintain their original public IDs.

As far as the python-keystoneclient bug, do you have a trace, or are you referencing the one from the description (which would be a server issue I believe)?

Hopefully this helps.

[0] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/cmd/cli.py#L1258
[1] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L963
[2] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L975
[3] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L522
[4] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L648
[5] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L654-L659
[6] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/core.py#L580-L588
[7] https://github.com/openstack/keystone/blob/f2d0f8c9ab38172a6e37b02339eac59da911435c/keystone/identity/mapping_backends/sql.py#L74-L76