Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131113/8b321fa4/attachment.html>