The keystone folks have decided to deprecate project membership via ldap. This wasn't supposed to happen until M but in truth the v3 api is totally broken for this so we probably need to move sooner.
How, then, will pam/ssh determine project membership? I don't know.
the transition is described here:
And a tentative roadmap is here: