diff --git a/defaults/main.yml b/defaults/main.yml
index 7feda0cc..299c34a6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -165,22 +165,26 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211
 
-## LDAP section
-# Define keystone ldap information here.
+## LDAP Section
+# Define Keystone LDAP domain configuration here.
+# This may be used to add configuration for a LDAP identity back-end.
 # See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
-# for more information on available options. The sections here are defined as key: value pairs. Each
-# top level key bellow ``keystone_ldap`` is a section.
+#
+# Each top-level entry is a domain name. Each entry below that are key: value pairs for
+# the ldap section in the domain-specific configuraiton file.
+#
 # (EXAMPLE LAYOUT)
 # keystone_ldap:
-#   ldap:
+#   Users:
 #     url: "ldap://127.0.0.1"
 #     user: "root"
 #     password: "secrete"
 #     ...
 
-keystone_ldap_identity_driver: ldap
+keystone_ldap: {}
 keystone_ldap_domain_config_dir: /etc/keystone/domains
 
+
 # If you want to regenerate the keystone users SSH keys, on each run, set this var to True
 # Otherwise keys will be generated on the first run and not regenerated each run.
 keystone_recreate_keys: False
diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml
new file mode 100644
index 00000000..c048b7c2
--- /dev/null
+++ b/tasks/keystone_ldap_setup.yml
@@ -0,0 +1,41 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+- name: Create Keystone LDAP domains
+  keystone:
+    command: ensure_domain
+    domain_name: "{{ item.key }}"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  with_dict: keystone_ldap
+  run_once: true
+  tags:
+    - keystone-ldap-domain-create
+
+- name: Create Keystone LDAP domain configs
+  template:
+    src: keystone.domain.conf.j2
+    dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0644"
+  with_dict: keystone_ldap
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-ldap-domain-config
+
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index 659cf9ef..7559909f 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -27,10 +27,6 @@
       dest: "/etc/keystone/keystone.conf"
       config_overrides: "{{ keystone_keystone_conf_overrides }}"
       config_type: "ini"
-    - src: "keystone.Default.conf.j2"
-      dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
-      config_overrides: "{{ keystone_keystone_default_conf_overrides }}"
-      config_type: "ini"
     - src: "keystone-paste.ini.j2"
       dest: "/etc/keystone/keystone-paste.ini"
       config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 0d416f54..f7b278f4 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -47,6 +47,11 @@
   when: >
     inventory_hostname == groups['keystone_all'][0]
 
+- include: keystone_ldap_setup.yml
+  tags:
+    - keystone-config
+    - keystone-ldap
+
 - include: keystone_federation_sp_idp_setup.yml
   when: >
     keystone_sp is defined and
diff --git a/templates/keystone.Default.conf.j2 b/templates/keystone.Default.conf.j2
deleted file mode 100644
index 96c62ee2..00000000
--- a/templates/keystone.Default.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# LDAP configuration options
-{% if keystone_ldap is defined %}
-[identity]
-driver = {{ keystone_ldap_identity_driver }}
-
-{% for section in keystone_ldap|dictsort %}
-[{{ section.0 }}]
-{% for key, value in section.1.items() %}
-{{ key }} = {{ value }}
-{% endfor %}
-{% endfor %}
-{% endif %}
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 21b9a20e..0599a7f0 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -64,8 +64,10 @@ max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
 
 
 [identity]
-driver = {{ keystone_identity_driver }}
-{% if keystone_ldap is defined and keystone_ldap.ldap %}
+{% if keystone_ldap.Default is not defined %}
+driver = sql
+{% endif %}
+{% if keystone_ldap | length > 0 %}
 domain_config_dir = {{ keystone_ldap_domain_config_dir }}
 domain_specific_drivers_enabled = True
 {% endif %}
diff --git a/templates/keystone.domain.conf.j2 b/templates/keystone.domain.conf.j2
new file mode 100644
index 00000000..bec3f328
--- /dev/null
+++ b/templates/keystone.domain.conf.j2
@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+[identity]
+driver = ldap
+
+[ldap]
+{% for key, value in item.value | dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}