keystone ldap part 1

keystone uses the most ugly tree i've ever seen

a role:

dn: cn=f7032e0da7574b0c82e3b96163429df4,ou=Roles,dc=openstack,dc=org
objectClass: organizationalRole
ou: sarasa
cn: f7032e0da7574b0c82e3b96163429df4

is not ugly to use an UUID as a cn, that in fact is cool. the ugliness comes from using ou as container for an attribute!

also keystone does not respect user_id_attribute it just uses whatever is the dn