OT: Confused about LDAP in general

[<k15a-list-openldap@mail.theotherbell.com>]

Not really confused about LDAP itself but terribly confused about
implementations and how one would deal with the subtle differences
between them.  I understand what LDAP is and I have OpenLDAP up and
running just fine and I've been able to play with the directory and
some basic client applications.

Where I'm confused is this:  there are several well-known LDAP
implementations (OpenLDAP, Netscape, IBM, etc.) and a couple of LDAP
API's (JNDI for one).  I've found lots of documents that discuss
LDAP-based security  and I understand that LDAP is based somewhat on
X.500/X.509 and for the most part, the authentication stuff makes
sense.

Where I get really hung up is on authorization.  I understand
groupOfNames and I've actually seen it used in LDAP schemas.  But
seems like every LDAP server has done it's own tweaking here and there
so things are slightly different between the various implementations. 
I'm confused as to how I -- as a developer -- would develop an
application that uses an existing LDAP implementation for
authenticating whether a given user has the right to perform a given
task.

As best as I can tell, there would be some DN that sets the security
context... and some concept of roles (groupOfNames) within that
context where a given user either is or is not a member.  Would LDAP
authorization be this simple or have I completely missed the boat? 
I've searched the web high and low for detailed information on the
authorization subject and haven't really come up with anything I can
sink my teeth into.