Organizational data is held in publicly accessible directories accessed via the Lightweight Directory Access Protocol(LDAP). In general, the end applications have the ability to query via LDAP, but not update it. Up until Grizzly the OpenStack Identity management Service, Keystone, has required write access to the backing store if you wanted to be able to manage authorization from within OpenStack. This mismatch has been addressed in Havana.
The Mirantis Blog
Your guide through the wilderness of Open Cloud