LDAP list group users not fail if user entry deleted

Using the LDAP identity backend, if a group member entry doesn't exist in the LDAP server anymore and the group's members are listed using GET /v3/groups/{groupId}/users, Keystone returns 404 Not Found. The server should return all the group members that do exist and ignore the missing members. Fixes bug 1174585 Change-Id: I97b53e3d5a5810aa0818b785e23a1948499b29e8
author: Brant Knudson <bknudson@us.ibm.com> 2013-06-25 17:14:37 -0500
committer: Brant Knudson <bknudson@us.ibm.com> 2013-06-25 18:02:14 -0500
commit: 600c38bae5ba70d3adc2ce69107ccbdddb42498d (patch)
tree: 6d1d3b17a5a833d8a21937f7eda45ebc01b6a19f
parent: 31863d1b4124e703905bb85d767fd0200e20c25e (diff)
2 files changed, 12 insertions, 10 deletions
diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index 2e553bc0..dffbf835 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -370,7 +370,13 @@ class Identity(identity.Driver):
         users = []
         for user_dn in self.group.list_group_users(group_id):
             user_id = self.user._dn_to_id(user_dn)
-            users.append(self.user.get(user_id))
+            try:
+                users.append(self.user.get(user_id))
+            except exception.UserNotFound:
+                LOG.debug(_("Group member '%(user_dn)s' not found in"
+                            " '%(group_id)s'. The user should be removed"
+                            " from the group. The user will be ignored.") %
+                          dict(user_dn=user_dn, group_id=group_id))
         return self._set_default_domain(users)
 
     def check_user_in_group(self, user_id, group_id):
@@ -869,11 +875,5 @@ class GroupApi(common_ldap.BaseLdap):
             for user_dn in user_dns:
                 if self.use_dumb_member and user_dn == self.dumb_member:
                     continue
-                try:
-                    users.append(user_dn)
-                except exception.UserNotFound:
-                    LOG.debug(_("Group member '%(user_dn)s' not found in"
-                                " '%(group_dn)s'. The user should be removed"
-                                " from the group. The user will be ignored.") %
-                              dict(user_dn=user_dn, group_dn=group_dn))
+                users.append(user_dn)
         return users
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index c6bf7b1c..ba739082 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -577,8 +577,10 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
 
         self.identity_api.add_user_to_group(user_2_id, group_id)
 
-        # Delete user 2.
-        self.identity_api.delete_user(user_2_id)
+        # Delete user 2
+        # NOTE(blk-u): need to go directly to user interface to keep from
+        # updating the group.
+        self.identity_api.user.delete(user_2_id)
 
         # List group users and verify only user 1.
         res = self.identity_api.list_users_in_group(group_id)
author	Brant Knudson <bknudson@us.ibm.com>	2013-06-25 17:14:37 -0500
committer	Brant Knudson <bknudson@us.ibm.com>	2013-06-25 18:02:14 -0500
commit	600c38bae5ba70d3adc2ce69107ccbdddb42498d (patch)
tree	6d1d3b17a5a833d8a21937f7eda45ebc01b6a19f
parent	31863d1b4124e703905bb85d767fd0200e20c25e (diff)