I made a couple of small fixes in the inc/auth/ldap.php file. Patch is attached.
Line 234: the only attribute that is used from the group search is "cn", so it's rather wasteful to request all the attributes from the ldap server. In my case, some of the groups I belong to in the corporate ldap database have thousands of members, and it was taking a *very* long time to retreive them.
Line 247: AFAICT, the default group should *always* be appended to all users that successfuly log in. Otherwise, the special "@user" ACL group doesn't work.
It'd be nice if this patch could go into the next convenient release :)