I created a virtualized enviroment for testing keystone and Microsoft Active Directory integration. I followed the standard installation guide for Ubuntu 14.04 and used this example for ldap integration with a few modification: https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD (link text)
The goal was to allow users to authenticate with there domain user accounts, but manage roles and projects from Keystone(not in MySQL, just use Keystone to write to AD)
Keystone and the ldap backend works surprisingly well, from CLI I can assign users to tenants and roles, create tenants, delete tenants, looks like everything is good what is needed. The problem starts with Horizon, from Horizon project(tenant) creation succeeds without any failure, but it doesn't create the default _member_ organizationalRole and doesn't add the user's DN to roleOccupant attribute. Even if you create the _member_ organizationalRole under the tenant by hand, Horizon doesn't add the user to it. These happens without one single error message, no in errors apache2 log and keystone log. It's just simply doesn't happen. I even traced ldap communication, and there is no clue of error. Again all this functions works perfectly well from Keystone CLI.
Has anybody got idea about this? Thanks for any help in forward!