Hi all, I admit this is quite a complicated first question, but I'm setting up FR in a lab to try to replace an existing production deployment of a commercial alternative. Currently, we can permission a user for access to some network device via the following tuples (in order of less specificity): (user, device) (user, group of devices), (group of users, device) (group of users, group of devices). So we say, effectively in pseudocode: For authorization: Check if a user with uid=%{User-Name} exists and return the user's group if exists(acl(user, device)) { based on the assigned access profile, query LDAP for the approopriate VSAs } else if exists(acl(user, group of devices)) { based on the assigned access profile, query LDAP for the approopriate VSAs } else if exists(acl(usergroup, device)) { .... } else if exists(acl(usergroup,group of devices)) { .... } else return reject For authentication: Kerberos The authentication part is trivial, as is the first check under authorization; the existing documentation explains how to do that sort of check. I can see from the unlang manpage how to call out to one or the other modules. Is what I'm trying to do something one can do with rlm_ldap, or is it something that would be better done with rlm_python. (Yes, LDAP in python sucks rocks through straws, so I'm trying to avoid that if possible. Thanks, -c -- Coy Hile coy.hile@coyhile.com