Adam Young is re-implementing the LDAP support for the new baseline of keystone that just landed, and is documenting some of this thought work at for the implementation he's planning on landing in the very near future. I'd suggest taking a look at it to see if that re-implementation answers your question.