From acef9c60722edf78bcb85328ca5ab23331ab9273 Mon Sep 17 00:00:00 2001
From: Sami MAKKI <mail@samimakki.fr>
Date: Wed, 16 Oct 2019 16:10:15 +0200
Subject: [PATCH] Remove group deletion for non-sql driver when removing
 domains.

As LDAP is now read-only, trying to remove it was throwing an error.
We now only try to delete it when the driver is sql-based.

Change-Id: I15b92b35b31d0e5d735a629e7c154ddd7bdda03d
Closes-bug: #1848238
(cherry picked from commit d6977a0e9b3ed8ae80527d6f6ace67b687b46c60)
---
 keystone/identity/core.py                     | 25 ++++++++++---------
 .../notes/bug-1848238-f6533644f7907358.yaml   |  6 +++++
 2 files changed, 19 insertions(+), 12 deletions(-)
 create mode 100644 releasenotes/notes/bug-1848238-f6533644f7907358.yaml

diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index 73102ee5ff..2d0c266db7 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -500,20 +500,21 @@ class Manager(manager.Manager):
 
         driver = self._select_identity_driver(domain_id)
 
-        user_refs = self.list_users(domain_scope=domain_id)
-        group_refs = self.list_groups(domain_scope=domain_id)
-
-        for group in group_refs:
-            # Cleanup any existing groups.
-            try:
-                self.delete_group(group['id'])
-            except exception.GroupNotFound:
-                LOG.debug(('Group %(groupid)s not found when deleting domain '
-                           'contents for %(domainid)s, continuing with '
-                           'cleanup.'),
-                          {'groupid': group['id'], 'domainid': domain_id})
+        if driver.is_sql:
+            group_refs = self.list_groups(domain_scope=domain_id)
+            for group in group_refs:
+                # Cleanup any existing groups.
+                try:
+                    self.delete_group(group['id'])
+                except exception.GroupNotFound:
+                    LOG.debug(('Group %(groupid)s not found when deleting '
+                               'domain contents for %(domainid)s, continuing '
+                               'with cleanup.'),
+                              {'groupid': group['id'], 'domainid': domain_id})
 
         # And finally, delete the users themselves
+        user_refs = self.list_users(domain_scope=domain_id)
+
         for user in user_refs:
             try:
                 if not driver.is_sql:
diff --git a/releasenotes/notes/bug-1848238-f6533644f7907358.yaml b/releasenotes/notes/bug-1848238-f6533644f7907358.yaml
new file mode 100644
index 0000000000..db6f20754a
--- /dev/null
+++ b/releasenotes/notes/bug-1848238-f6533644f7907358.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [bug 1848238 <https://bugs.launchpad.net/keystone/+bug/1848238>]
+    Allow deleting a domain when using the ldap driver for a domain. There was
+    an attempt to delete the group on the ldap whereas this one is read-only.