Hi I have an (OpenLDAP-based) directory that sets a specific attribute (univentionNetworkAccess) on either the user or the group based on which network Access is being granted. (1 means you are permitted, 0 or access of that attribtue indicates no access) I think this is where using access_attribute wouldn't work, as it is only defined in the users section but not groups - right? Additionnaly access should also only be granted if certain other Attributes have specific values (such as sambaAcctFlags, meaning if a user is locked or disabled). I'm looking into where this could be configured in the most meaningful way without adding to many chunks of custom logic to the default configuration... as in my experience staying close to the default config usually helps avoiding stupid errors... So far I've thought about mapping these attributes from LDAP to FR and then using unlang statements in post-auth for example to check for each condition. Q: How could I map attributes from LDAP groups to FreeRADIUS? (I've only ever done this with user attributes) (Somewhat similar as to what a guy asked in 2016: http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084450.ht...) If all attributes are mappable to FreeRADIUS using unlang, making conditions in the post-auth section would look possible ... right? Or would it be better to modify the LDAP "filter =" statemens of the ldap module in the user{ } and group{ } sections with the required attributes ? (likely ending up in somewhat clunky LDAP queries) Regards Mathieu