The eZ Publish 5.4 installation documentation should be updated in the context of security vulnerability CVE-2015-5723 (http://www.doctrineproject.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html).
The problem addressed in CVE-2015-5723 is that cache files are generated which contains executable code. So anyone being able to write to those cache files are able to execute code as web user. So if the customer do not trust their LDAP users, those LDAP users cannot have write access to those directories and files.
Nevertheless, there are specific cases when it is required to have web users and LDAP users to be able to write to those files. One possible approach is to:
The SGID bit will ensure all new files/directories created will be owned by the group created in #1 ( no mater who actually creates the file ).