Comment 26 for bug 1677723

Re if Mitaka is affected:

When we tried to get unscoped token in Mitaka, we failed with the following trace:

 [req-a3e0e824-2c97-466a-b4c2-38079b1f0fa9 - - - - -] Unable to find valid groups while using mapping ldap-map
 Traceback (most recent call last):
   File "/keystone/keystone/auth/plugins/mapped.py", line 67, in authenticate
     self.identity_api)
   File "/keystone/keystone/auth/plugins/mapped.py", line 160, in handle_unscoped_token
     utils.validate_groups_cardinality(group_ids, mapping_id)
   File "/keystone/keystone/federation/utils.py", line 259, in validate_groups_cardinality
     raise exception.MissingGroups(mapping_id=mapping_id)
 MissingGroups: Unable to find valid groups while using mapping ldap-map

(got the trace via additional logging). I.e. user with no groups was rejected to log in. I don't know a way to get scoped token without obtaining unscoped one first. If that is indeed impossible, than Mitaka is not affected.

On the other hand, merging the fix into Mitaka should not break anything.