You can't do that with straight up ldap as far as I know. EDIT: I stand corrected, see below.
You can however set up a radius server (Clearpass, NPS, .. ) and use that to return roles depending on AD group membership.
With an Aruba controller you can have your radius server return the aruba vsa aruba-user-role (amongs many more) to have this applied to the user. No need to go into server derivation rules and the likes even.