In LDAP: Differentiating via OU or via attribute?

Question

I am using LDAP to allow access to a Linux system. The users and groups are structured as follows:

• Groups and users are represented via posixGroup and posixUser, respectively.
• Each group corresponds to a research group.
• Each research group has a leader.
• The leader of a group may or may not be a user.

I would like to do the following:

• Set the owner attribute of each group to DN of the group leader.
• Prevent the owner from having access unless also a user.

What is the best way to distinguish between users and owners? I see two possibilities:

1. Use two OUs: ou=users and ou=leaders. Leaders who are also users would appear in both groups.
2. (Mis-)Use an attribute: employeeType can take multiple values, e.g user, leader, or user,leader.

It seems that approach 1 would be easier to configure in sssd, but are there other pros and cons of the two approaches?