Alan:
Yes, that works when run through ldapsearch.
I was able to get the attribute checking working (added to dictionary, then ldap.attrmap) so I can now reject based on the value of an attribute. Thanks for the input on that.
However, if the user isn't found in LDAP (Active Directory), how do I get it to outright reject the user? I can't do attribute checking (tried that and checking for an empty value, but got attribute was not found). Right now if the user isn't found in LDAP it happily goes to authentication (which for testing purposes right now is just using the users file).