We are using plone.plugins.pas for retrieving users and groups from LDAP. So far, so good.
Is it possible to assign roles to LDAP groups directly as part of the site setup - either using Generic Setup or a resource registry configuration? Workaround would be to make the assignment via sharing on the root node.