Switching an existing instance to external auth

We’re running an established 4.4.4 instance with all local users (logging in with full email address as username). We’re finally able to switch this instance over to LDAP auth. I’ve configured greenfield RT instances before to use LDAP auth, so am familiar with configuring ExternalAuth. In this case though (existing users assigned to various RT groups, etc) I’m a little confused about the attr_match_list and attr_map settings to use.

If LDAP attribute “mail” contains a user’s email address, the following should work and “latch onto” the existing RT identity with the same email address, no?

'attr_match_list' => [

'attr_map' => {
        'Name'         => 'mail',
        'EmailAddress' => 'mail',
        'Organization' => 'physicalDeliveryOfficeName',
        'RealName'     => 'cn',