I have a few comments.
We have already had a comment from one of the beta testers on this, so figured i would pass it along.
The LDAP authentication user, doesn't need to be an Admin, it just needs to be a users that has read access to all the users and groups.
Table 7.8. Group Element Mapping Configuration for posixAccount
Table 7.8. Group Element Mapping Configuration for posixGroup