Comment 6 for bug 1382822

The LDAP driver is marked as domain aware = false meaning that the users within a given domain backend are not "owned" by another domain. This is primarily a choice because of the complexity with mapping the domain in a clean way within the LDAP identity backend and the already limited number of attributes that are available in a standard LDAP schema. This all stems from using the same backend driver for read-only LDAP and read-write LDAP. In almost every case the LDAP administrators in the read-only case would not use a custom schema. In a read-write case we (in theory) could demand it as Keystone is managing the data.

The only way to have LDAP users belong to another domain (e.g. created "in" that domain) would be to use the per-domain-identity driver functionality.

The specific 404 error you're seeing has been resolved in the Juno release by the full implementation (no longer experimental) of the per-domain identity backends the code no longer raises the 404, but still users *must* be part of the default domain in this case (LDAP identity configured as you've outlined):

   def _clear_domain_id_if_domain_unaware(self, driver, ref):
        """Clear domain_id details if driver is not domain aware."""
        if not driver.is_domain_aware() and 'domain_id' in ref:
            ref = ref.copy()
            ref.pop('domain_id')
        return ref

I'm marking this as "won't fix" since the bug is mostly reporting that the LDAP Identity backend should be made domain aware, which is an explicit design choice to not implement.