I have been trawling around for how this works in detail and found very little info. Perhaps I'm looking in the wrong place.

The authentication was very easy to get working.

The roles on the other hand are currently a mystery. Many apps that we have use ldap to store a list of roles in a separate tree to the users, with a member or uniqueMember list per role - the entry in the list is the DN of the user.

I'm not sure what the ID store is doing but it seems to ignore the role DNs and search using the user DNs, it is also trying to match using the uid, the uniqueMember field I specified as the user-role-attribuite show up but I'm not sure what is happening with this - my interpreatation after monitoring the ldap interaction using wireshark.

There was a similar post from 2008, mentioning an inverse role lookup that would be supported with 2.1, is this the same case I find myself in?

Any help appreciated, as this looks like a good idea in principle at least. (simple ldap config for projects that is).