To add to this, I was unable to store group information in Plone and have it apply properly to the LDAP authenticated users — so I setup dedicated groups in Active Directory, and changed my group source in acl_users to LDAP, then configured mapping to the Plone roles…then it all worked great!
