Hello OpenStack-dev, I am running Keystone in a virtual environment with LDAP backend. When user_id_attribute is set to sn (and the LDAP directory is configured accordingly), `openstack user list --domain default --group test-group` results in `Group member `userid` for group `f44a7fbb9e174ba5823474c759d43643` not found in the directory. The user should be removed from the group. The user will be ignored.` for a groupOfNames that has userid as a member. However, `openstack user list` works OK and lists all user names and ids. Outputs: http://paste.openstack.org/show/609820/ It seems that the problem is here: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1280 cn is used as the id attribute regardless of configuration in https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126. keystone.conf: http://paste.openstack.org/show/609845/ LDAP directory: http://paste.openstack.org/show/609846/ Any ideas? This smells of a bug. Boris Kudryavtsev