GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
What this does is:
If USER() and CURRENT_USER() don't match root is still allowed to grant the proxy privilege.
So if you connect using someuser@localhost using LDAP and LDAP tells you're root then you're still allowed to grant proxy privileges. This will only work if your user has the privilege to proxy to root.
The documentation for PROXY is here.