keystone uses the most ugly tree i've ever seen
dn: cn=f7032e0da7574b0c82e3b96163429df4,ou=Roles,dc=openstack,dc=org objectClass: organizationalRole ou: sarasa cn: f7032e0da7574b0c82e3b96163429df4
is not ugly to use an UUID as a cn, that in fact is cool. the ugliness comes from using ou as container for an attribute!
also keystone does not respect user_id_attribute it just uses whatever is the dn