I'm confused as to why you are thinking so hard about this. Why wouldn't a allow_login() and disallow_login() method (or whatever) all within the same class suffice? From what I'm understanding, this is a one-off product that will do the translation once and you're done.
My criteria for good software:
Does it work?
Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
> From what I'm understanding, this is a one-off product that will do the translation once and you're done.
Nope, the next year will see ldap schema changes, additional back ends and more services being offered.
So why aren't you just authenticating and authorizing against the LDAP backend that's containing all this information? Why the synchronization process?
My criteria for good software:
Does it work?
Can someone else come in, make a change, and be reasonably certain no bugs were introduced?