When you configure the Identity service to use an LDAP back end, you can split authentication and authorization using the Assignments feature. The Assignments feature enables administrators to manage project role authorization using the Identity service's own SQL database, while still providing user authentication through the LDAP directory. To configure this: Configure the Identity service to authenticate users through the LDAP driver. To do so, first find the [identity] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.identity.backends.ldap.Identity: [identity] driver = keystone.identity.backends.ldap.Identity Next, enable the Assignment driver. To do so, find the [assignment] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.assignment.backends.sql.Assignment: [assignment] driver = keystone.assignment.backends.sql.Assignment On distributions that include openstack-config, you can configure both drivers by running the following commands instead: # openstack-config --set /etc/keystone/keystone.conf \ identity driver keystone.identity.backends.ldap.Identity # openstack-config --set /etc/keystone/keystone.conf \ assignment driver keystone.assignment.backends.sql.Assignment