Unmapped groups as role

I’m using LDAP authentication and authorization, and I want that users that didn’t match any LDAP group assigned to a role, for example - kibana_read_only role. How to implement it?
Thanks.