Building islands of users based on LDAP/AD group memberships?

We are currently using openfire to run an internal/employee only chat server. Recently we started a conversation around allowing our users (we are an ASP) to possibly interact with each other on a per customer basis. So basically all the users from customer1 can chat and so can those from customer2, but they don’t see each other across groups.

We currently authenticate all users for all customers against AD and so, we were thinking of doing something with those credentials.

Here is the question. Can anyone suggest how we might best go about this?