I agree fully with that. But my problem is that it doesn't work that way now.
1. The hint for the 'ID number attribute' field on the ldap enrolment plugin says:
If the group membership contains distinguised names, specify the same attribute you have used for the user 'ID Number' mapping in the LDAP authentication settings.
In my case the groupmembership doesn't contain distinguished names, so I left the field empty
2. Even when I set the corresponding value, the ldap enrolment isn't working.