Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD. Often this the Subject CN. This value is then used to fetch group memberships like we would for any other type of Authorization. Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...
Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.
/Craig