Yes, I do understand but I can also tell you that this is not the way LDAP is supposed to be used
Let me try to explain this to you.
To make a long explanation short, you are going to use LDAP like if it was RDBM, which is not (whatever backend behind).
I hope you will understand better my point with real life example:
say you have internal application (e.g. Tomcat based application) for which you want different kind of access depending on user profile.
You want people from purchasing department being able to access some features while you want people from given location able to access restricted information dedicated to this location.
- You can do it managing group (more or less like what you describe): this is known as explicit profiling because you do have to manage group membership to get accurate result. Group doesn't need to store any information like "purchasing department" because you will have to explicitly code in you application "access to THIS feature is authorized to THIS group"
- another way to achieve similar result is to implement "implicit profiling": you store and manage, for each entry, attribute describing department and location. Then in your application, you only implement one simple LDAP filter based on "department=purchasing" or "location=HQ". No need to maintain group
When user move to another location or to another organization, changing his/her attribute is enough to impact all applications implementing implicit profiling.
This is what real Identity Management provides
Back to your example, as there is no "join" request with LDAP protocol, you can prompt user for authentication and check his group membership in same LDAP request while this is straightforward if you use implicit profiling thank to LDAP filter.
This being said, Zentyal doesn't aim at proving this kind of stuff
Zentyal LDAP backend targets Zentyal modules. It can be obviously used for authentication from external applications but with no IDM feature in mind.