- What is the nature and description of the request? 
Keystone should be able to list and authenticate with Active Directory users that are members of a subgroup of a higher level group. If the upper group has a given role, users that are members of groups below (but not the upper group directly) should also have the same roles.

- Why does the customer need this? (List the business requirements here) 
To integrate with an existing Active Directory server and allow users to authenticate based on permissions set across a broad scope of groups.

- How would the customer like to achieve this? (List the functional requirements here) 

Add support in keystone to correctly perform ldap queries that require memberof:1.2.840.113556.1.4.1941: as part of the query.

- For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

'openstack user list --domain AD --group subgroup' should list all users that are members of the group 'subgroup', not just those that are also members of the parent group.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
no