Comment 4 for bug 1859759

I was able to reproduce this behavior, which surprised me a bit because even if the user is removed from the LDAP backend there is still a shadow record of it in the keystone database. Unfortunately, if you query keystone for the user it calls to the LDAP backend to verify the user exists, so it appears to the user (and to openstackclient) that the user doesn't exist. There's no way that openstackclient could handle this better because it always must query keystone's /v3/users API to check the ID of the user.

Brainstorming ideas, options I see are 1) expose the shadow user table in the API somehow so that a query for a no-longer-existing user returns some kind of result - maybe showing the user as disabled or deleted, or 2) create a new keystone-manage command or enhance the keystone-manage mapping_purge command to purge all deleted users from the shadow table (which should cascade to delete their role assignments as well).