Honor ldap_filter on filtered user list

Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.

Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
Closes-Bug: #1577804

keystone/identity/backends/ldap/core.py

@@ -288,7 +288,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
         return self.filter_attributes(user)
 
     def get_all_filtered(self, hints):
-        query = self.filter_query(hints)
+        query = self.filter_query(hints, self.ldap_filter)
         return [self.filter_attributes(user)
                 for user in self.get_all(query, hints)]
 

keystone/tests/unit/test_backend_ldap.py

@@ -235,6 +235,20 @@ class BaseLDAPIdentity(identity_tests.IdentityTests,
                           self.identity_api.get_user,
                           self.user_foo['id'])
 
+    def test_list_users_by_name_and_with_filter(self):
+        # confirm that the user is not exposed when it does not match the
+        # filter setting in conf even if it is requested by name in user list
+        hints = driver_hints.Hints()
+        hints.add_filter('name', self.user_foo['name'])
+        domain_id = self.user_foo['domain_id']
+        driver = self.identity_api._select_identity_driver(domain_id)
+        driver.user.ldap_filter = ('(|(cn=%s)(cn=%s))' %
+                                   (self.user_sna['id'], self.user_two['id']))
+        users = self.identity_api.list_users(
+            domain_scope=self._set_domain_scope(domain_id),
+            hints=hints)
+        self.assertEqual(0, len(users))
+
     def test_remove_role_grant_from_user_and_project(self):
         self.assignment_api.create_grant(user_id=self.user_foo['id'],
                                          project_id=self.tenant_baz['id'],