Great explaination, and thanks for looking into this.

Unfortunately I've not been able to verify if a purge was successful yet due to residing role assignment issues. Using LDAP, should the local ID be "<email address hidden>" (typically capital letters) or just "USERNAME"?

Listing users still yield the error described below. Trying to remove the role assignment using the user's ID (`openstack role remove`) fails for the same reason. Could it be that the mapping is purged successfully, but the role assignment remains in a sort stale state? In that case, how should I proceed?

---

Regarding the possible python-keystoneclient bug I am refering to the one included in part in the bug description. I'm using python-openstackclient, but if I'm not mistaken these operations are a part of python-keystoneclient[1]? Chose to initially not include too much of the trace due to its verbosity and because it might be a seperate bug.

In short, when users are listed with `openstack user list --project PROJECT` or similar, the command seems to issue these API requests but fails at step 4 since it can't find an user with the ID referenced in the role assignments.

1. Authenticate/issue token (if applicable)
2. Get details about the project via `/v3/projects?name=PROJECT` (or by ID)
3. Using now acquired project ID, it asks for the role assignments in the scope of the project via `/v3/role_assignments?scope.project.id=ID`
4. Iterate through and get info about each user found in role assignments via `/v3/users/ID`
5. Print (list) users in the project

Step 4 and out for the user not found (`openstack user list --debug --project PROJECT --long`):

---

REQ: curl -g -i -X GET https://domain.com:35357/v3/users/<ID> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
"GET /v3/users/<ID> HTTP/1.1" 404 89
RESP: [404] Content-Length: 89 Vary: X-Auth-Token Keep-Alive: timeout=5, max=89 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id: req-<ID> Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"error": {"message": "Could not find user: <username>", "code": 404, "title": "Not Found"}}

Request returned failure status: 404
REQ: curl -g -i -X GET https://domain.com:35357/v3/users?name=<ID> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
"GET /v3/users?name=<ID> HTTP/1.1" 401 114
RESP: [401] Content-Length: 114 Vary: X-Auth-Token Keep-Alive: timeout=5, max=88 X-Distribution: Ubuntu Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT WWW-Authenticate: Keystone uri="https://domain.com:35357" Server: Apache/2.4.18 (Ubuntu) Content-Type: application/json x-openstack-request-id: req-<ID>
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Request returned failure status 401
REQ: curl -g -i -X GET https://domain.com:35357/v3/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
"GET /v3/users HTTP/1.1" 401 114
RESP: [401] Content-Length: 114 Vary: X-Auth-Token Keep-Alive: timeout=5, max=87 X-Distribution: Ubuntu Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT WWW-Authenticate: Keystone uri="https://domain.com:35357" Server: Apache/2.4.18 (Ubuntu) Content-Type: application/json x-openstack-request-id: req-<ID>
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Request returned failure status: 401
Could not find resource <ID>
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 239, in take_action
    user = utils.find_resource(identity_client.users, user_id)
  File "/usr/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 118, in find_resource
    raise exceptions.CommandError(msg)
CommandError: Could not find resource <ID>
clean_up ListUser: Could not find resource <ID>

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 118, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 153, in run_subcommand
    ret_value = super(OpenStackShell, self).run:_subcommand(argv)
  File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 239, in take_action
    user = utils.find_resource(identity_client.users, user_id)
  File "/usr/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 118, in find_resource
    raise exceptions.CommandError(msg)
CommandError: Could not find resource <ID>

---

[1]: http://docs.openstack.org/developer/python-openstackclient/authentication.html