Whats the best way to design my LDAP for use by multiple apps?

I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.

Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:

/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"

Perhaps I am misunderstanding that ldap can do what I'm asking...(???)

Would I be better off with the custom attributes on my Users ou? I also need to consider that we need to provide access to seveal admins for maintenance, so we need to make sure one admin can't change the application access that they shouldn't be. Should we have a seperate branch for each app then???

tia,

Kevin