Comment 7 for bug 1704205

"proper" configuration of LDAP isn't going to happen, so fixing this isn't prolonging that...

Similarly, documenting a way to address this on the LDAP side will do nothing. That's not going to happen either.

The only place this can be fixed is in keystone. And I don't see why it would be a contradiction to filter users that don't have fields we require... that just seems right to me.