Groups external to xwiki

Hi all. I have a need to determine group membership based on criteria defined outside xwiki, and wondering if anyone has done this, or can at least suggest a direction. We have criteria for groups defined in LDAP, such things as your department or things like that. I would like to be able to say that for a specific space, only people in so-and-so department are allowed in. However department should be only one criteria; in general I want to use an LDAP search the queries on an arbitrary set of attributes. In addition we have something called "Bluegroups", in which you can define a group name and then specify the members through either picking members individually, or again through an LDAP search. To do this, my idea was that the user would manually create an XWiki group, and then as a member give something like "ldap:(dept=HTV)", or maybe "bluegroups:Support team". Even better would be the ability to put a value such as this in the Access Rights, under group, but I don't think things are setup that way. Anyway, looking at the API, it seems like I need to implement listGroupsForUser(), which is difficult because the group members are not stored in the db. I'm left with querying all the members which begin with "ldap:" or "bluegroups:", determing which the user is a member of via an LDAP call, and then returning them. I could cache these, but since I'm not going to get notifications of group membership changes, I would need to invalidate the cache once a day or something like that. Does this seem like the most reasonable way of doing things? Or is there something that would make my life really easy and wonderful? Thanks in advance ... shawn.