Never used it, but apparently you can map users directly to roles (according to documentation):
Personally, I've only ever used Active Directory as the 'back-end LDAP', and generally map Distribution Lists / Security Groups from there to Splunk roles.
Correct. Basically, when configuring LDAP, in the sections when asking to define "groups" you simply define each user to be its own group, as described in the linked document. Then when you go into mapping Splunk roles to LDAP groups, you will find that each "group" is actually a single user.