Firstly, remember that authentication and authorization are separate issues. Secondly, consider the authentication source as an foreign key, to use database terminology. You link with that key in order to authorize activity, but you do nothing else with that key.
So, from the perspective of using an LDAP directory with a web application, if you’re not storing the user data in the directory, then treat it as a key into your database. For example, you have a user, Bob, who will authenticate using credentials stored in the directory. Is he authorized to use the application? I dunno; let’s look that up.
I’ll try to have a more concrete example in a day or so, but you know how well I do with promises. You might want to look at bugzilla‘s handling of the situation, since this is, after all, what Joe and I talked about. (Please ignore the use of Mozilla::LDAP instead of Net::LDAP. This was back in 2000.) In the future, one would appreciate it if new applications were able to assume from the get-go that someone else, like HTTP, might be providing the authentication source.