Now that I have FreeRADIUS authenticating users via MSCHAPv2 and the sambaNTPassword attributes, the next step in my project is to limit the system so that only users in certain user groups can log in. I'm using posixGroup groups, not groupOfNames or groupOfUniqueNames. In my modules/ldap files I have: groupname_attribute = "cn" groupmembership_attribute = "memberUid" groupmembership_filter = "(memberUid=%{Stripped-User-Name:-%{User-Name}})" In my users I have DEFAULT LDAP-Group == foo However, even with these configuration options set, anyone with a valid login and password can authenticate right now. In my "radiusd -X" I see: rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test)) rlm_ldap: object not found or got ambiguous search result But it then goes on the authenticate the user anyhow: rlm_ldap: user test authorized to use remote access I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now. Is there some option that I have to set to tell the system to ignore a user that's not in the proper group? And then the follow-up question to this will be: is it possible to configure FreeRADIUS to check for membership in more than one group? Put another way, how can I let the system authenticate users in the "foo" group -or- in the "bar" group? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354