Thread:Extension talk:LDAP Authentication/Multiple queries on using ldapauth for groups/reply

You seriously don't want to use $wgLDAPDisableAutoCreate. It doesn't do what you think. MediaWiki *must* create a local account.

You really want to use group synching, rather than group restrictions. After doing so, you can manage rights by using mediawiki to do so.