Revision history [back]

You only keep users in the LDAP directory. Projects and domains are in the resource backend ([resource] section in the config file), role assignments in the [assignment] backend, roles in [role] afaik.

Furthermore, thanks to domain-specific backends, you can keep all the service and admin users, which belong to the Default domain, in the local database. This way, they can be modified by the Keystone API, unlike the normal users in the LDAP directory.