Ldap based group settings

Hi all,
Am using rt 3.2.3 on fbsd 5.3 (works great), am using ldap for
authentication and would like to take it one step further.

Our ldap tree looks something like this
In groups I have the following, group ny, group-la, group-toronto, etc…
In users each user has an attribute to which group he belongs, it is
possible for a user to belong to more than one group. Now if I were to
create groups on the rt side with the same names as in my ldap tree, is
there a way I lock down the users in rt to the groups based on their ldap
entries ?

One step beyond this, I will set group permissions for each queue, but
instead of having to manually edit each of 5k users permissions manually I
hope I can somehow get ldap to tell rt what groups users can belong to.

Any ideas?