I use “raw” setting in $LDAPOptions (syncing to an LDAP server):
Set($LDAPOptions, [ port => 636, raw => qr/(\;binary)/, ...
I hope it’s useful for you.
About permissions by group, check this post, maybe you’ll find a hint: