One thing I've noticed that is missing is a differentiation between users being served (for whatever systems are being authenticated for) and access to the LDAP server.

I went about building this into my fork (splitice@dbc0fce) however this isnt a configurable method of doing this.

Unfortuantely there isnt with the current API an easy way to get the group object from the user object so i was forced to operate on the group name directly (rather than adding a boolean value to the group configuration)