Yes, for authorization it is "use LDAP". You are tied to ntlm_auth/libwbinfo in terms of authentication due to the clear-text passwords being unavailable through Active Directory.[1]
Ah ha - so... when you/they say "Use LDAP" - it doesn't mean "Use LDAP exclusively"... In which case I build on the existing (working) configuration and add the extra (authorisation) check step using LDAP. Makes (more) sense now. ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail