The LDAP Authenticator works wonderfully for authorizing existing uses and creating new ones on the fly. But (there's always a but), the user IDs are case sensitive.
So, I manually setup the user 'myuser' and assign groups. Then when I login as 'MyUser', it doesn't match the existing one, so a new 'MyUser' user is created.
I've had several users call me complaining that they can't access their configurations due to the fact that they entered a mixed case ID and they were previsioned with an all lowercase id.