The docs aren't very helpful on this, I'm afraid (I'm submitting feedback).

All it says is that an Administrator cannot define users/roles, that is done at the LDAP server.
But then it doesn't tell you how to configure things on the LDAP Server to adjust this?

Example:

Users are only created upon login to ZR5. You can't apparently "browse" the LDAP directory for a list of users ahead of time and assign rights (why not, I don't know, but that should be a basic feature, IMO since ZRS had it).

So, what I need to do is somehow configure ZR5 so that:
If you login, and are a member of a specific LDAP group, you are a ZR5 Administrator
If you login, and are a member of a DIFFERENT LDAP Group, you are a ZR5 User