[exim] Deny authentication to some users

I know this should be pretty trivial, but it's been so long since I've
messed with my Exim configuration that I'm not able to make much
progress in getting something that works.

I'm looking to deny authenticated SMTP access to some users. We've had
a phishing problem and I'd like to be able to ban some users from using
various services. In this case, I need to shut off authenticated SMTP.
Fortunately the spammers have only exploited our webmail system and
haven't gone directly to the submission port yet, but I figure it's only
a matter of time.

Ideally, I'd just add a user to a particular group in LDAP and be done
(as I can do with ssh and DenyGroup) but the mechanics of adding an LDAP
lookup to an authenticator seem to elude me, as does the method for
actually doing an LDAP group membership lookup. I'm starting from this
simple authenticator:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if saslauthd{{$2}{$3}{smtp}} {1}}"
server_set_id = $2

I'm pretty sure it's just a matter of nesting an LDAP lookup inside of
server_condition, but so far all I've managed to do is confuse myself.

Thanks in advance for any suggestions.

- J<