LDAP Authenticator can be configured to use a result set from a LDAP query to authenticate. However, is it expected that this LDAP query would only result a set of users (aka full DNs for the users in LDAP).
However, its not always straightforward to be able to author queries that return users. For example, say you would like to allow "all users from group1 and group2" to be authenticated. The LDAP query has to return a union of all members of the group1 and group2.
For example, one common configuration is that groups contain a list of its users
will return the entries
but there is no means to form a query that would return just the values of "member" attributes. (ldap client tools are able to do by filtering out the attributes on these entries.
So it will be useful to have such support to be able to specify queries that return groups.