Comment 6 for bug 1089261

Also when solving this, keep in mind that the ec2_user create may not be allowed by Keystone when you are configured with LDAP Identity driver. With this config the following two scenarios will fail:
1) keystone.conf setting for ldap: user_allow_create=False
2) The authenticated user from ldap does not have privilege in LDAP to create other users in ldap.

Ref: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample

We are currently blocked by these scenarios. I'm not familiar with how to add use-case requirements into the blueprints and hope this helps to capture some needs for this fix.