Comment 23 for bug 1658641

Although possibly susceptible to the same bug, but for those facing the same/similar issue it might be worth considering assigning/granting roles in projects to whole LDAP groups rather than each user (member) in a LDAP group. This can help simplify managing membership changes, and its position in the LDAP tree (DIT) is hopefully rather stable for most organizations, compared to user objects.

For those using AD, Keystone also has good support for traversing nested group structures using the `group_ad_nesting` option, ability to map attributes and other things you might need.

Adding groups is also simple, and if creating 1:1 project to LDAP group is your primary use case, removes the need for looking up membership status before adding users, effectively skipping a step.

$ openstack role add --project-domain default --project myproject --group-domain mydomain --group mygroup member