Sean, I would like to help you, but I need more information 1. could you please explain what means your phrase: "On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)" 2. please try to use curl to debug: - uncomment "admin_token = ADMIN" in your /etc/keystone/keystone.conf and restart keystone - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/users - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/groups 3. If something wrong go to keystone log, keystone logs ldap requests, so you can see them and verify them Kind regards, Kseniya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160802/0fb2e685/attachment.html>