There are two issues here. They both seem to be more Foreman related than Katello.

Process:
1) Create user group in Foreman (called Foretello Admins), check "Administrator" box.
2) Link an LDAP group to Foretello Admins (LDAP Group: "Admins")
3) Have a user in "Admins" log into the system.

Expected behavior:
4) User logs in, should have administrator privileges.

Actual behavior:
4) User logs in, has no permissions.

Additional issue:
This isn't a huge deal, since I have so few new users. But I don't run around as the 'admin' user, I stay logged in as 'adavis', with explicit 'administrator' privileges checked for my user.
When step 4 fails, I would open 'Users' from the 'Administer' menu and select the user. But unlike in the past, now the user who failed to log in doesn't appear. I have to log out of adavis and back in as admin in order to see the 'new' user, and assign them permissions.