Roles

The login handler handles users and groups, it will not create or assign any roles. Since there is no standard way to automate this function, this is the responsibility of the eZ Publish system administrator. Users and groups created by the login handler will only have the roles they inherit from their parent groups. If the roles they inherit are too restrictive, or they don't inherit any, such users may not be able to log in even when the LDAP authentication succeeded. Therefore it is recommended to create and assign a basic role with login rights to the LDAP root group (see LDAPGroupRootNodeId). This also applies to the default group (see LDAPUserGroup[]) if you want users to be able to login even when the group assignment failed.
In addition to this, it is common to make additional roles for each of the sub groups of the root group, granting the necessary permissions for each group.

Settings

LDAP login is configured in ldap.ini, for more information see descriptions in the settings file itself and the documentation regarding configuration files. In addition to this, LDAP must be enabled in the LoginHandler setting in site.ini (see examples in chapter LDAPGroupMappingType).