OK. So the solution is this. You need to configure the LDAP Plugin in the "Settings" - "Other" section. I used a non encrypted implementation of LDAP in my lab so this is why I point to port 389. My AD domain is mgmt.ssclab.com so all the answer below will reflect that. Adjust as you need. My read only ldap account in AD is "ldap ro". Your's will probably be different (or you need to create one if you don't have one). I put all the users I want to give access to openstack in an AD group called "openlab":

Domain name: mgmt
LDAP URL: ldap://<IP of MS AD>:389
LDAP Proxy: None
Use TLS: Nope
CA Chain: Leave blank
LDAP Suffix: DC=mgmt,DC=ssclab,DC=com
LDAP User: CN=ldap ro,CN=Users,DC=mgmt,DC=ssclab,DC=com
LDAP User Password: some super secure password ;-)
LDAP Query Scope: Sub
Users Tree DN: CN=Users,DC=mgmt,DC=ssclab,DC=com
User Filter: (memberOf=CN=openlab,CN=Users,DC=mgmt,DC=ssclab,DC=com)
User Object Class: person
User ID Attribute: sAMAccountName
User Name Attribute: sAMAccountName
User Password Attribute: Leave blank
User Enabled/Disabled Attribute: userAccountControl
Groups Tree DN: Leave blank
Group Filter: Leave blank
Group Object Class: Leave blank
Group ID Attribute: Leave blank
Group Name Attribute: Leave blank
Group Member Attribute: Leave blank
Group description Attribute: Leave blank
Page Size Attribute: 0
Chase referrals Attribute: False
List of additional Domains: Leave blank
List of custom LDAP proxy configs: Leave blank

Hope this help you get going. Took me hours to figure our what was needed.