This is more musing than a practical design.
Most application servers have a means to query LDAP for the authorization information for a user. This is separate from, and follows after, authentication which may be using one of multiple mechanism, possibly not even querying LDAP (although that would be strange).
And there are other mechanisms (SAML2, SSSD+mod_lookup_identity) that can, also, provide the authorization attributes.
Continue reading