Once you have a Directory server installed, you are going to want to query against it from throughout the Network. For many reasons, you will want traffic to the server encrypted. Here are the steps to quest against a server using LDAPS from a remote machine.
Get the CA cert from your IPA server and add it to your openldap set of accepted certificates. It needs to end in pem.
sudo scp $IPASERVER:/etc/ipa/ca.crt /etc/openldap/cacerts/ipa-ca.pem
Get the c-rehash utility, which is in the openldap Perl utilities RPM:
sudo yum install openssl-perl
Rehash the CA cert directory
sudo c_rehash /etc/openldap/cacerts
And now query:
ldapsearch  -x -H 'ldaps://$IPASERVER' -D "cn=Directory Manager" -w $PASSWORD -b "$IPA_BASE_DN"
can i connect an existing LDAP server to keystone service?
Yes you can. http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
Do you know how to map the role to the user with the LDAP as the identity service.? Right now, i am using OpenStack Keystone Folsom2012.2 version and OpenLDAP. I can get the tenant information with user_id/pw but can not get the role information. i configured the role with attribute “roleOccupant” in the LDAP service.
In the default set up, the role is a done as an object under the tenant object. Specifically:
Tenant is GroupOfName. The Role is OrganizationalRole. The RoleAssignemnt (called grants in the V3 API) is done (as you alluded) by putting the user DN in RoleOccupant attribue. Thus it is simple to get the list of all users with a specific role in a tenant, as it is just all of the values in the RoleOccupant attribute. To get the set of roels for a given user in a tenant, you need to iterate through all of the roles and see which have the user in the RoleOccupant attribute.
If you have further questions please direct them to the Openstack mailing list so the larger community can benefit from the answers.