If you're using the RemoteUserBackend
authentication backend with LDAP, then you could subclass it, override the configure_user
method and set the permission there.
If you're using a different method to authenticate, then you can use the post_save
signal.