Comment 2 for bug 1705072

We had another bug reported closely related to this [0]. I'm wondering if the other bug could be marked as a duplicate if the following cases are met:

 - all identity backends are invoked from the callback, which will make sure we clean up the default project for everyone
 - the Forbidden exception is handled from the LDAP backend, since we don't support writeable LDAP backends

That *should* leave us with a solution the ensures all users associated with a project via their default_project_id attribute will be handled regardless of the backend. Thoughts on marked that as a duplicate?

[0] https://bugs.launchpad.net/keystone/+bug/1705081