Best practice for Keystone LDAP domain config in OpenStack-Ansible (user_variables.yml, group_vars, or external playbook?)

Hi all,

I am integrating Keystone with LDAP using OpenStack-Ansible.

Currently I am applying the configuration through a separate playbook which:

enables domain_specific_drivers_enabled

sets domain_config_dir

places the LDAP domain file under /etc/keystone/domains/

This works, but I’m not sure if this is the intended workflow.

I have already tried defining the LDAP configuration in:

user_variables.yml

group_vars/keystone_all.yml

…but in both cases the domain configuration was not rendered automatically under /etc/keystone/domains/, and Keystone continued to use SQL for identity.
I searched for documentation or examples covering LDAP backend setup via OSA variables, but could not find anything conclusive — only manual or downstream implementations.

So my question is about what is considered the correct, maintainable, and persistent method for configuring Keystone LDAP domains under OSA.

My current (working) method is option #3:

provisioning LDAP configuration via an external playbook

It works reliably, but feels more like a workaround and may require rerunning after redeployments.

Therefore I would like to clarify:

Should Keystone LDAP parameters be defined in user_variables.yml or in group_vars?

Is an external provisioning playbook the only supported approach today?

Does OpenStack-Ansible offer an official way to generate the config under /etc/keystone/domains/ automatically?

Any guidance or best-practice references would be greatly appreciated.

Thanks,
S.